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SECURITY OF HEALTHCARE.GOV 


TUESDAY, NOVEMBER 19, 2013 

House of Representatives, 

Subcommittee on Oversight and Investigations, 

Committee on Energy and Commerce, 

Washington, DC. 

The subcommittee met, pursuant to call, at 10:15 a.m., in room 
2123 of the Rayburn House Office Building, Hon. Tim Murphy 
(chairman of the subcommittee) presiding. 

Members present: Representatives Murphy, Burgess, Blackburn, 
Scalise, Harper, Olson, Gardner, Griffith, Johnson, Long, Ellmers, 
Barton, Upton (ex officio), DeGette, Braley, Lujan, Schakowsky, 
Butterfield, Welch, Tonko, Yarmuth, Dingell, and Waxman (ex offi- 
cio). 

Staff present: Carl Anderson, Counsel, Oversight; Mike 
Bloomquist, General Counsel; Sean Bonyun, Communications Di- 
rector; Karen Christian, Chief Counsel, Oversight and Investiga- 
tions; Noelle Clemente, Press Secretary; Brad Grantz, Policy Coor- 
dinator, Oversight and Investigations; Brittany Havens, Legislative 
Clerk; Sean Hayes, Counsel, Oversight and Investigations; Bran- 
don Mooney, Professional Staff Member; Andrew Powaleny, Deputy 
Press Secretary; Tom Wilbur, Digital Media Advisor; Jessica 
Wilkerson, Staff Assistant; Stacia Cardille, Democratic Deputy 
Chief Counsel; Brian Cohen, Democratic Staff Director, Oversight 
and Investigations, and Senior Policy Advisor; Hannah Green, 
Democratic Staff Assistant; Elizabeth Letter, Democratic Press Sec- 
retary; Karen Lightfoot, Democratic Communications Director and 
Senior Policy Advisor; Karen Nelson, Democratic Deputy Com- 
mittee Staff Director for Health; Stephen Salsbury, Democratic 
Special Assistant; and Matt Siegler, Democratic Counsel. 

OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTA- 
TIVE IN CONGRESS FROM THE COMMONWEALTH OF PENN- 
SYLVANIA 

Mr. Murphy. Good morning. I convene this hearing of the Sub- 
committee on Oversight and Investigations to discuss the security 
of the Healthcare.gov Web site. 

Americans want to know the answers to two simple questions: is 
my information secure if I use Healthcare.gov, and why should I 
believe the administration that it is? 

It has been nearly 50 days since the launch of Healthcare.gov, 
and the Web site is still not functioning at an acceptable level. This 
is despite the numerous promises and assurances the public was 

( 1 ) 
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given by members of the administration leading up to and over the 
several months up to the launch of the Web site. 

This committee heard directly from Secretary Sebelius, Adminis- 
trator Tavenner, and CCIIO Director, Gary Cohen, that they were 
ready by October 1. We are all deeply troubled that the individuals 
who want to be in charge of America’s healthcare system could not 
even predict accurately if the Web site would work. And those pre- 
dictions were not just limited to the Web site. We have also been 
routinely promised that the Web site was safe, and that Americans’ 
personal information would be secure. 

When Administrator Tavenner last appeared before this com- 
mittee, she informed us that testing began in October of last year, 
that end-to-end testing would be completed by the end of August 
this year. We have now learned that this simply was not the case. 
End-to-end testing is not possible when the Web site isn’t com- 
pleted. 

Today we hope to hear from our witness about how much of the 
Web site remains to be built. If the first parts of Healthcare.gov 
have been this problematic, we are obviously concerned about parts 
that are being constructed under current pressures and time con- 
straints. 

The witness for our first panel today is Mr. Henry Chao, the 
Deputy Chief Information Officer at the Centers for Medicare and 
Medicaid Services, and we want to thank you for coming and testi- 
fying today. I can only imagine how stressful the last few months 
have been for you, so welcome here. Yet, I hope you can appreciate 
the fact that HHS has a ways to go to regain the trust of the Amer- 
ican people in this Web site. They were promised a functioning 
Web site as easy as buying a TV on Amazon, and what they got 
was a train wreck. 

The reason the trust of the American people may be so difficult 
to regain is because every day, new revelations emerge that show 
this wreck was entirely foreseeable. Last week, this subcommittee 
uncovered emails from CMS showing that as early as July of this 
year, Mr. Chao, our first witness, was worried that the company 
primarily responsible for building the Web site, CGI, would “crash 
at takeoff.” 

Today this subcommittee also released materials showing that as 
early as March to April of this year, top administration officials 
were well aware that Healthcare.gov was far off schedule, and test- 
ing of the Web site would be limited. We have also learned that 
Healthcare.gov was only launched after Administrator Tavenner 
signed an authority to operate, which included a memo warning 
her that a full security control assessment was not yet completed. 
This memo makes it clear that the highest levels of CMS knew 
that there were security risks present, yet again, while this docu- 
ment was being signed in private, administration officials were 
promising the public that in only a few days, the American people 
would be able to use a perfectly functioning Web site. 

A few weeks ago. Secretary Sebelius told this committee that the 
highest security standards are in place, and people have every 
right to expect privacy. I hope that today we hear what those 
standards are, not only from Mr. Chao and also from our second 
panel as well. 
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Our second panel features some of the contractors that are re- 
sponsible for the security of Healthcare.gov, and I thank them for 
testifying today. I am disappointed that one of the companies re- 
sponsible for security, Verizon, chose not to testify today. We will 
certainly be following up with Verizon so that they are accountable 
to the public for their work here. 

Today’s hearing is not just about the Web site. Web sites can be 
fixed. What cannot be fixed is the damage that could be done to 
the American people if their personal data is compromised. Right 
now, Healthcare.gov screams to those who are trying to break into 
the system, “If you like my healthcare info, maybe you can steal 
it.” 

[The prepared statement of Mr. Murphy follows:] 

Prepared statement of Hon. Tim Murphy 

Americans want to know the answers to two simple questions: Is my information 
secure if I use HealthCare.gov? And why should I believe the administration that 
it is? 

It has been nearly 50 days since the launch of HealthCare.gov, and the Web site 
is still not functioning at an acceptable level. This is despite the numerous promises 
and assurances the public was given by members of the administration leading up 
to the launch of the Web site. This committee heard directly from Secretary 
Sebelius, Administrator Tavenner, and CCIIO Director Gary Cohen that they were 
ready by October 1. We are all deeply troubled that the individuals who want to 
be in charge of America’s healthcare system could not even predict accurately if the 
Web site would work. 

And those predications were not just limited to the Web site. We have also been 
routinely promised that the Web site was safe and that Americans personal infor- 
mation would be secure. When Administrator Tavenner last appeared before this 
committee, she informed us that testing began in October of last year, and that end- 
to-end testing would be completed by the end of August this year. We have now 
learned that this was simply not the case. End-to-end testing is not possible when 
the Web site isn’t completed. Today, we hope to hear from our witness about how 
much of the Web site remains to be built. If the first parts of HealthCare.gov have 
been this problematic, we are obviously concerned about parts that are being con- 
structed under current pressures and time constraints. 

The witness for our first panel today is Mr. Henry Chao, the Deputy Chief Infor- 
mation Officer at the Centers for Medicare and Medicaid Services. We thank you 
for testifying today. I can only imagine how stressful the last few months have been. 
Yet, I hope you can appreciate the fact that HHS has a ways to go to regain the 
trust of the American people. They were promised a functioning Web site — as easy 
as buying “a TV on Amazon” — and they got a train wreck. 

The reason the trust of the American people may be so difficult to regain is be- 
cause every day new revelations emerge that show this train wreck was entirely 
foreseeable. Last week this subcommittee uncovered emails from CMS showing that 
as early as July of this year Mr. Chao, our first witness, was worried that the com- 
pany primarily responsible for building the Web site — CGI — would crash on takeoff. 
This subcommittee also released materials showing that as early as April top ad- 
ministration officials were well aware that Healthcare.gov was far off schedule and 
testing of the Web site would be limited. 

We have also learned that HealthCare.gov was only launched after Administrator 
Tavenner signed an “Authority to Operate,” which included a memo warning her 
that a full Security Control Assessment was not completed. This memo makes it 
clear that the highest levels of CMS knew that there were security risks present. 
Yet, again, while this document was being signed behind closed doors, in public, ad- 
ministration officials were promising that in only a few days the public would be 
able to use a perfectly functioning Web site. 

A few weeks ago Secretary Sebelius told this committee that the “highest security 
standards are in place, and people have every right to expect privacy.” I hope that 
today we hear what those standards are from not only Mr. Chao, but our second 
panel as well. Our second panel features some of the contractors that are respon- 
sible for the security of HealthCare.gov, and I thank them for testifying today. I am 
disappointed that one of the companies responsible for security, Verizon, chose not 



4 


to testify today. We will certainly be following up with Verizon so that they are ac- 
countable to the public for their work here. 

Today’s hearing is not just about the Weh site. Web sites can be fixed. What can- 
not be fixed is the damage that could be done to Americans if their personal data 
is compromised. 

Right now, HealthCare.gov screams to crooks, “If you like my healthcare info, you 
can steal it.” 

Mr. Murphy. But I now recognize for an opening statement Ms. 
DeGette of Colorado, for 5 minutes. 

OPENING STATEMENT OF HON. DIANA DEGETTE, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF COLO- 
RADO 

Ms. DeGette. Thank you very much, Chairman Murphy. I want 
to add to your thanks to Mr. Chao for being here today, as well as 
the three contractor witnesses; MITRE, CCSi and Foreground. 

We must make sure that the data on Healthcare.gov is secure. 
Everybody can agree on that. The American people must know that 
their data is protected when they go on the site to find a quality, 
affordable insurance plan for themselves or their families. This is 
critical. However, my fear is that today’s hearing is actually less 
about the facts of the security of Healthcare.gov, and more about 
political points and undermining the ACA. 

Now, without a doubt, no one could disagree there are troubling 
problems with the rollout of the Exchanges. Three weeks ago, our 
full committee held the first hearing on the inexcusable fact that 
Healthcare.gov seems to have been broken since it was very first 
launched. And three weeks later, while improving, it is clearly not 
up to speed. As I have said before, the Exchanges need to be fixed, 
and they need to be fixed fast so that the American people can eas- 
ily access quality, affordable insurance plans open to them. I hope 
we will have another hearing after the November 30 deadline to 
see how they are working. 

My fear about this hearing today though is that it won’t en- 
lighten the American public, but instead raise unjustified fears 
about security piling on all of the other issues. Now, obviously, as 
I said, we need to make sure that the data on Healthcare.gov is 
secure, but we should not create smoke if there is no fire. 

So before we begin, I want to give the American people some 
peace of mind based on the facts that we know about security on 
Healthcare.gov. 

First, and critically, no American has to provide any personal 
health information to Healthcare.gov or to insurers in order to 
qualify for health coverage and subsidies. To make sure about this, 
I went on the Exchange myself the other day, and that is because 
the ACA bans discrimination based on pre-existing health condi- 
tions. Before the ACA became law, Americans buying coverage on 
the individual insurance market had to fill out page after page of 
personal health information to apply for insurance. But no longer, 
thanks to the Affordable Care Act. Americans do not have to turn 
over any private health insurance to get coverage. 

Second, while no Web site in the Government or in the private 
sector is 100 percent secure, unfortunately, there is a complex and 
detailed set of rules that HHS must follow to make sure that data 
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on Healthcare.gov is secure. And I am looking forward to hearing 
from you, Mr. Chao, about these security issues today. 

The Agency has a long record of maintaining personal informa- 
tion about Medicare, Medicaid, Social Security and many areas, 
and has never had a significant leak of information. HHS must 
comply with the Federal Information Security Management Act, 
and National Institute of Standards and Technology Guidelines to 
protect information systems and the data collected or maintained 
by Healthcare.gov. And like all Federal agencies, HHS is required 
to develop, document and implement an agency- wide information 
security program. 

To date, our committee’s investigation has found that CMS has 
complied with every important security rule and guideline. They 
hired a small army of contractors to make sure the Web site is se- 
cure, and they are going to talk to us about it today. 

The memo, Mr. Chairman, that you talked about at our last 
hearing, that identified some security concerns, primarily a lack of 
end-to-end testing on Healthcare.gov, but it also outlined a mitiga- 
tion plan, one we learned was — that the Agency was following to 
mitigate security risks. So I want to hear from the contractors and 
from you, Mr. Chao, if, in fact, these findings are being heeded. 

Now, unfortunately, Mr. Chairman, I have to raise one more 
issue in my remaining minute, and that is this committee’s grand 
tradition of bipartisanship investigation. Apparently, the com- 
mittee, last Thursday, received a memo from CMS, Red Team dis- 
cussion document. The majority on this committee did not share 
this memo with the minority on this committee until yesterday, co- 
incidentally, just after they leaked this memo to The Washington 
Post. Now — and if you saw The Washington Post front page today, 
you saw a big story, and, Mr. Chairman, you were quoted in that 
story, talking about concerns about the readiness of the Exchange 
based on this memo. 

I know that is not the topic of this hearing today, but I have got 
to say it is not in the tradition of the committee to conduct inves- 
tigations that way. And when the majority received this memo, it 
should have immediately provided it to all of the members so that 
we could read it and find out. We are all just as concerned about 
making these Exchanges work. 

And to that end, Mr. Waxman and I have written a letter ex- 
pressing our displeasure, and we would like to enter that into the 
record at this time, Mr. Chairman. 

[The information follows:] 
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FRED UPTON, MICHIGAN 
CHAIRMAN 


HENRY A. WAXMAN, CAUFORNIA 
RANKING MEMBER 


ONE HUNDRED THIRTEENTH CONGRESS 

Congregg of tfje UnttciJ 

^ou£(e of ^epreiientatitiei^ 

COMMiTTEE ON ENERGY AND COMMERCE 
2125 Rayburn House Office Buildino 
Washington, DC 20515-6115 

M»iority I2Q21 225-23Z7 
MinorHy 12021 32S'3S41 

November 19, 2013 


The Honorable Fred Upton 
Chairman 

Committee on Energy and Commerce 
2125 Rayburn House Office Building 
Washington, D.C. 20515 

The Honorable Tim Murphy 
Chairman 

Subcommittee on Oversight and Investigations 
Committee on Energy and Commerce 
2125 Rayburn House Office Building 
Washington, D.C. 20515 

Dear Chairman Upton and Chairman Murphy: 

We are writing to express our extreme disappointment in the process by which yott are 
conducting the Committee investigation into the readiness and security ofHealthcare.gov. 

We have learned that the Republican majority received documents and information 
related to the investigation on Thursday, November 14, 2013, from a subcontractor hired by 
Centers for Medicare and Medicaid Services to conduct a March 2013 “pressure test” of the 
“trajectory of the federal marketplace."* These documents were provid^ based on a request that 
was an outgrowth of an official Chairman’s request letter sent on October 31, 2013.^ 

Republican Committee staff did not provide any documents to the Democratic stafifuntil 
four days after they were provided to the Committee. At this point, minority staff was provided 
with only a partial production of these materials on Monday afternoon, November 1 8, less than 
24 hours before today’s hearing. Additional portions of this official document production were 


' McKinsey & Company, Red Team: Discussion document (undated), 

* Letter from Chairman Fred Upton, Chairman Emeritus loe Barton, Chairman Tim 
Murphy, Chairman Joseph Pitts, Vice Chairman Marsha Blackburn, Vice Chainnan Michael 
Burgess, Rep. Mike Rogers, and Rep. Bill Johnson to MITRE Corporation (Oct. 31, 2013), 
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The Honorable Fred Upton 
The Honorable Tim Murphy 
November 19, 2013 
Page 2 

withheld from the minority and appear to have been shared with press prior to being shared with 
minority Committee staff. 

Your failure to provide the minority with copies of relevant investigatory documents in a 
timely fashion runs counter to the longstanding practice of this Committee. It is also inconsistent 
with House Rule XI, which provides that “all committee records (including hearings, data, charts 
and files) . . . shall be the property of the House and each Member, Delegate and the Resident 
Commissioner shall have access thereto.”^ Additionally, the Rules prescribe that the ranking 
minority member “shall have access to information before a [investigative] subcommittee with 
which they so consult.’'* 

Excluding Democratic members from timely access to the full Committee record calls 
into question the credibility and fairness of the Committee’s inquiry. 

We also observe that this is the second time in four days that you have leaked Committee 
investigative material to the press. Again, this is not the way the Committee traditionally 
operates, and we question your judgment in leaking this material without appropriate context, 
without the benefit of witness testimony to provide additional information, and in this latest case, 
without providing Democratic members timely access. 

We urge you to reconsider your practices and ensure that Democratic members have 
access to the full Committee record in the future. 

Sincerely, 

Diana DeOette 




^ Rules of the House of Representatives, Rule XI clause (e)(2)(A). 
* Rules of the House of Representatives, Rule XI clause (m)(C). 
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Mr. Murphy. That is fine, and I will look forward to talking with 
you more about these procedures. I know that these came as part 
of a couple of hundred thousand pages of documents that we are 
going through, but I will be glad to review that with you because 
I certainly respect my colleague on this 

Ms. DeGette. That we were able to find it in time to give it to 
The Washington Post in time for today’s hearing, and to be 
quoted 

Mr. Murphy. We will 

Ms. DeGette [continuing]. In The Washington Post. 

Mr. Murphy. We will have a good discussion on that. I thank my 
colleague, whose time has expired. 

I now recognize the chairman of the full committee, Mr. Upton, 
for 5 minutes. 

OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTA- 
TIVE IN CONGRESS FROM THE STATE OF MICHIGAN 

Mr. Upton. Well, thank you, Mr. Chairman. 

You know, for months, administration witnesses have come be- 
fore this committee and assured us that the implementation of the 
President’s healthcare law was “on track” — their words — and that 
Healthcare.gov would be ready for the October 1 launch. But why 
not give the straight story to the Congress and the public, because 
back on April 18, Secretary Sebelius testified in this very room, we 
have the Federal hub on track and on time. I can tell you we are 
on track. Those are her words. But we now know that the Sec- 
retary’s testimony did not match what was happening behind the 
scenes. 

Two weeks before she testified before this committee. Secretary 
Sebelius was present at an April 4 meeting where experts identi- 
fied significant threats and risks launching the site on October 1. 
The administration was on track, on track for disaster, but stub- 
bornly they stayed the course, repeating their claims that all is 
well and on track, right up until the mess that launched on Octo- 
ber 1. And even after the launch, administration officials insisted 
that the volume was primarily the culprit, when they, in fact, knew 
otherwise. 

But our oversight of the health law is not just about a Web site. 
No, it is not. It is about whether the public can trust and rely on 
this healthcare system that the administration has been building 
for over three years, and spending hundreds of millions of dollars. 
The failure of this Web site has significant consequences for all 
Americans. One important question is whether individuals will be 
able to enroll and obtain coverage by January 1. Security is an- 
other critical concern. How can the public trust a hastily thrown- 
together system in which meeting a deadline was more important 
for the administration than conducting complete end-to-end testing 
of the site’s security. 

Mr. Henry Chao, Deputy Chief Information Officer of CMS, is 
here to answer those questions, about CMS’s management of the 
Federal Exchange and the implications for security. And, Mr. Chao, 
I do understand that you are a career employee, and have been at 
CMS for years, and I know, as Chairman Murphy indicated, the 
last few months have not been particularly easy. Last March, you 
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were one of the first to publicly offer a glimpse of the true situation 
when you candidly remarked about the Web site and said, let us 
just make sure it is not a Third World experience. Documents pro- 
duced to the committee paint a clear picture that the administra- 
tion officials, in fact, knew for months before the October 1 date 
about delays and problems with the Web site development. Mr. 
Chao, you have been responsible for managing the development of 
Healthcare.gov, but I can imagine many matters were outside of 
your control. And given the lack of end-to-end testing, I hope that 
you can explain to us today why the administration felt confident 
in the security of Healthcare.gov when the system went live on Oc- 
tober 1. 

We are also joined by three companies that were awarded con- 
tracts by CMS to provide security services for the Federal Ex- 
change. These companies are here also today to answer questions 
about their roles. I know the subjects of security presents certain 
sensitivities, and I am glad that they made the decision to accept 
our invitations to testify and inform us about how Healthcare.gov 
works or doesn’t. 

One thing that we have learned; there are countless contractors 
involved in building this Web site, and responsibilities are divided. 
Very divided. It is a complex system, I know, but we would like to 
know how the delays and rushed implementation have affected or 
complicated the ability to perform the security work for the Web 
site. 

[The prepared statement of Mr. Upton follows:] 

Prepared statement of Hon. Fred Upton 

For months, administration witnesses have come before this committee and as- 
sured us thatimplementation of the president’s healthcare law was “on track,” and 
that HealthCare.gov would be ready for the October 1 launch. 

But why not pve the straight story to the Congress and the public? On April 18, 
Secretary Sebelius testified in this very room, “we have the Federal hub on track 
and on time. . I can tell you we are on track.” But we now know that the secretary’s 
testimony did not match what was happening behind the scenes. Two weeks before 
she testified before this committee. Secretary Sebelius was present at an April 4 
meeting where experts identified significant threats and risks to launching the site 
on October 1. The administration was on track — on track for disaster. But stub- 
bornly, they stayed the course, repeating their claims that all was well and on track 
right up until the mess that launched October 1. Even after the launch, administra- 
tion officials insisted volume was the primary culprit, when they knew otherwise. 

But our oversight of the health law is not just about a Web site. It is about wheth- 
er the public can trust and rely on this healthcare system that the administration 
has been building for over 3 years. The failures of this Web site have significant 
consequences for Americans. One important question is whether individuals will be 
able to enroll and obtain coverage by January 1. Security is another critical concern. 
How can the public trust a hastily thrown together system in which meeting a dead- 
line was more important for the administration than conducting complete, end to 
end testing of the site’s security? 

Mr. Henry Chao, Deputy Chief Information Officer of CMS, is here to answer our 
questions about CMS’ management of the Federal exchange and the implications for 
security. Mr. Chao, I understand you are a career employee and have been at CMS 
for years. I am sure the last few months have not been easy for you. Last March, 
you were one of the first to publicly offer a glimpse of the true situation when you 
candidly remarked about the Web site, “Let’s just make sure it’s not a third-world 
experience.” Documents produced to the committee paint a clearer picture that ad- 
ministration officials knew for months before October 1 about delays and problems 
with the Web site development. Mr. Chao, you have been responsible for managing 
the development of HealthCare.gov, but I imagine many matters were outside your 
control. Given the lack of end-to-end testing, I hope you can explain to us today why 
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the administration felt confident in the security of HealthCare.gov when the system 
went live on October 1. 

We are also joined by three companies that were awarded contracts by CMS to 
provide security services for the Federal exchange. These companies — MITRE, CCSi, 
and Foreground — are here today to answer questions about their roles. I know the 
subject of security presents certain sensitivities and I am glad they made the deci- 
sion to accept our invitations to testify and inform this committee about how 
HealthCare.gov works. One thing we have learned — there are countless contractors 
involved in building this Web site, and responsibilities are divided. It is a complex 
system. I would like to know how the delays and rushed implementation have af- 
fected or complicated your ability to perform the security work for the Web site. 

Mr. Upton. And I yield the balance of my time to Dr. Burgess. 

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A 
REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS 

Mr. Burgess. I thank the chairman for the recognition, and I do 
want to thank our witnesses for being here today. 

Pretty broad agreement, the implementation of the Affordable 
Care Act has been problematic, and rather than getting better, it 
may be getting worse. We have low enrollment numbers, a Web 
site so bad that it has required the appointment of a glitch tsar, 
cancelled plan, broken promises from the President, just for start- 
ers. These initial problems break the surface of the deeper issues 
that lie ahead for not just the law, but for the American people 
that must live under the law. 

And, Mr. Chao, you probably, prior to anyone else, sounded the 
alarm with that speech to AHIP, and I know you are tired of hear- 
ing it, but I will tell you once again, your comments that you were 
just trying to prevent the Web site from becoming a Third World 
experience, I admire your ability to see over the horizon and tell 
the problems before they come up and hit you in the windshield. 
But also you are the one who recommended that it was safe to 
launch the Web site on October 1. So what happened in those 6 
months that led you, yourself, and others in the administration to 
believe that this law was, in fact, ready for primetime? Not only 
did the Center for Medicare and Medicaid Services fail to establish 
basic functionality, but Healthcare.gov’s flaws continue to pose a 
threat to the security of Americans’ personal data. And just on a 
personal note, when I went to Healthcare.gov this morning, it was 
still not functional. Another Web site, HealthSherpa.com, can actu- 
ally tell me about the plans that are available in my area. We 
know it was possible to do this. We are all wondering why it 
wasn’t. 

Thank you, Mr. Chairman. I will yield back. 

Mr. Murphy. Gentleman yields back. 

Now recognize the ranking member of the full committee, Mr. 
Waxman, for 5 minutes. 

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF CALI- 
FORNIA 

Mr. Waxman. Thank you very much, Mr. Chairman. 

The last 6 weeks have been difficult ones for supporters of the 
Affordable Care Act. The troubled rollout of the Web site prevented 
many of our constituents from signing up for the affordable, high- 
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quality coverage for which they now qualify. And it has been re- 
lentlessly exploited for political gain by Republican opponents of 
the law. 

I was interested to hear the phrase in the 2 Republicans’ state- 
ments, maybe in all of them; we don’t want a Third World Web 
site. Well, let me tell you what is Third World. Third world in this 
country is when we leave millions of people unable to get insurance 
because they have pre-existing medical conditions, or they can’t af- 
ford it. No other industrial country allows such a thing to happen, 
but that is what Republicans who have opposed this law would 
have us return to. 

I think we are turning the corner on the Web site. On Friday, 
Jeff Zients, the administration’s point person on Healthcare.gov, 
announced two key metrics of improvement, and it seems to me 
these are all very good signs the Web site is getting better. Addi- 
tional improvements are still needed, but Healthcare.gov means 
more and more people will be signing up for coverage as that Web 
site becomes more usable. 

I want to tell you what is happening in California. In the first 
month, 35,000 people enrolled in the Exchange, over 70,000 quali- 
fied for Medicaid, and State officials say that the pace of enroll- 
ment is increasing. In just the first 12 days of November, enroll- 
ment from the first month almost doubled. 

Now, I know we are looking today at the issue of data security 
on Healthcare.gov. It is an important issue. We should begin by ac- 
knowledging that the ACA represents an enormous step forward 
for privacy because, when people apply for insurance coverage, the 
law bans them from being asked questions about their under- 
writing, about their medical conditions, about the privacy of things 
that affect their health, because it is not necessary to ask those 
questions. They are not going to be denied insurance coverage be- 
cause of previous medical problems. But there is some personal in- 
formation that people are going to be asked for when they sign up, 
and we need to ensure that this information is protected. 

This question comes up repeatedly — came up repeatedly when 
Secretary Sebelius was before us. She told us the department is 
placing a high priority on the security of the Web site, and the 
highest security standards are in place to protect personal informa- 
tion on Healthcare.gov. 

I hope this hearing will be serious, evenhanded inquiry, but I 
fear that some of my Republican colleagues may exaggerate secu- 
rity concerns to stoke public fear, and exaggerate it so that they 
can dissuade people from even signing up. This is exactly what this 
subcommittee did when they launched an investigation into non- 
profit community organizations serving as healthcare navigators. 
They were harassing these people in order to prevent them from 
helping people learn what is available to them. 

Mr. Chairman, yesterday we learned that you have been with- 
holding important investigative documents, leaking them to the 
press before even providing them to the Democratic members and 
staff. And I sent you a letter this morning describing why this is 
a violation of the committee’s precedent. It is not the way this com- 
mittee has traditionally operated, and it raises concerns about 
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whether these hearings are becoming another partisan attempt to 
weaken the Affordable Care Act. 

The committee should not go down that road. We should be using 
our oversight powers to improve the Affordable Care Act, not to 
sabotage it or to discourage Americans from signing up for quality 
care. 

I want to yield the balance of my time, Mr. Chairman, to Mr. 
Dingell. 

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF MICHI- 
GAN 

Mr. Dingell. I thank the gentleman. I ask unanimous consent 
to revise and extend my remarks, and I am pleased to be here and 
I am certainly pleased that my subscription to The Washington 
Post is in effect so I can find out what is being leaked by my Re- 
publican colleagues to the media. 

This is interesting. We have clearly a violation of the practices, 
traditions and histories this committee and the investigations it 
has done. I speak as a member who has done more investigations 
than anybody in this room, including probably more than all of 
them put together. 

Here, we have a breach of the responsibility of the leadership to 
make information available to the committee at the same time they 
make it to the press. I find that difficult, but worse than that, I 
find it intolerable that this committee is running around fishing for 
trouble where none exists. I feel a little bit like the old maid who 
came home and looked under the bed to find out if there was some- 
body there, hoping, in fact, that there would be. Unfortunately, 
there is not. 

I have seen no evidence of any complaints or any evidence of mis- 
behavior with regard to the information that is controlled by the 
Government. I would urge this committee to spend its time trying 
to make this situation work, and see to it that we collect the infor- 
mation that is necessary, make the Web site work, and see to it 
that we register the Americans so that we can cease being a Third 
World nation, both with regard to how the Congress runs and how 
the health care of this country works. 

Mr. Murphy. Gentleman’s time has expired. 

Mr. Dingell. We are down around the Third World nations in 
the way that we take care of the health of our people. Look at the 
statistics. 

Mr. Murphy. Thank you. 

Mr. Dingell. It will give you a shock. 

Prepared statement of Hon. John D. Dingell 

I thank the gentlemen for yielding. 

Partisan politics have always been at the heart of the Majority’s investigation into 
the Affordable Care Act, but today we have reached a new low. 

Breaking with longstanding committee practice, the majority selectively released 
certain documents to the press before Democratic staff even had the opportunity to 
review. 

Oversight is one of the most important responsibilities of the Congress, and it can 
result in good things when used properly. This committee has a long history of bi- 
partisan cooperation when conducting oversight. 
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When I was chairman, the minority always had ample time to access documents. 
I hope we can soon return to that precedent and work on these issues together rath- 
er than playing games with the press. 

Mr. Murphy. Gentleman’s time has expired. 

Thank you very much. And now I would like to introduce the wit- 
nesses on our first panel for today’s hearing. Henry Chao has 
served since January 2011 as the Deputy Chief Information Officer 
and Deputy Director of the Office of Information Services at the 
Centers for Medicare and Medicaid Services. Some of his prior roles 
include Chief Information Officer in the Office of Consumer Infor- 
mation and Insurance Oversight, and Chief Technology Officer for 
CMS. I will now swear in the witness. 

You are aware, Mr. Chao, that the committee is holding an in- 
vestigative hearing, and when doing so, has the practice of taking 
testimony under oath. Do you have any objection to taking testi- 
mony under oath? The witness indicates no. The Chair then ad- 
vises you that under the rules of the House and the rules of the 
committee, you are entitled to be advised by counsel. Do you desire 
to be advised by counsel during your testimony today? Mr. Chao in- 
dicates no. In that case, would you please rise, raise your right 
hand, I will swear you in. 

[Witness sworn.] 

Mr. Murphy. Thank you. You are now under oath and subject to 
the penalties set forth in Title XVIII, Section 1001 of the United 
States Code. You may now give a 5-minute summary of your writ- 
ten statement. And make sure the microphone is on and pulled 
close to you. Thank you, Mr. Chao. 

STATEMENT OF H ENRY CHAO, DEPUTY CHIEF INFORMATION 

OFFICER AND DEPUTY DIRECTOR, OFFICE OF INFORMA- 
TION SERVICES, CENTERS FOR MEDICARE AND MEDICAID 

SERVICES 

Mr. Chao. Thank you. Chairman Murphy, Ranking Member 
DeGette, and members of the subcommittee for inviting me to tes- 
tify about the security of the Federally Facilitated Marketplace. 

The security and protection of personal and financial information 
is a top priority for CMS which, for decades, has protected the per- 
sonal information of the more than 100 million Americans enrolled 
in Medicare, Medicaid and the Children’s Health Insurance Pro- 
gram. 

The protection of personal information in CMS programs is a 
monumental responsibility. Every day, CMS enrolls new Medicare 
beneficiaries, pays claims timely and efficiently, and protects the 
information of consumers and providers. CMS used this experience 
and our security-best practices to build a secure Federal Market- 
place that consumers should feel confident entrusting with their 
personal information. 

CMS follows Federal law. Government-wide security processes 
and standard business practices to ensure stringent security and 
privacy protections. CMS’s security protections are not singular in 
nature; rather, the marketplace is protected by an extensive set of 
security layers. 

First and foremost, the application — the online application is de- 
veloped with secure code. Second, the application infrastructure is 
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physically and logically protected by our hosting provider. Third, 
the application is protected through an internet defense shield in 
order to protect unauthorized access to any personal data. Finally, 
several entities provide direct and indirect security monitoring, se- 
curity testing, and security oversight which includes the various or- 
ganizational groups that CMS are reporting to key stakeholders 
with respect to security and privacy. 

This includes the Department of Health and Human Services. 
We also work in conjunction with US-CERT, which is operated by 
the Department of Homeland Security. CERT stands for Computer 
Emergency Response Team. And the Office of the Inspector Gen- 
eral of HHS. Each of these groups has varying roles to ensure oper- 
ational management and technical controls are implemented and 
successfully working. 

The Federally Facilitated Marketplace is protected by the high 
standards demanded of Federal information systems, including reg- 
ulations and standards proscribed by FISMA, NIST, the Privacy 
Act and the directives promulgated by the Office of Management 
and Budget. 

CMS designed the marketplace IT systems and the Hub to re- 
duce possible vulnerabilities and increase the efficiency. A large 
number of connections can cause security vulnerabilities. The Hub 
allows for 1 highly secured connection between highly protected 
databases of trusted State and Federal agencies, instead of hun- 
dreds of connections that would have been established as part of 
how normal business practices in present day in how Government 
connects organizations with each other to conduct business. 

A series of business agreements enforce privacy controls between 
CMS and our Federal and State partners. Additionally, CMS de- 
signed the marketplace systems to limit the amount of personal 
data stored, and protects personal information and limits access 
through passwords, encryption technologies, zoned architecture 
with firewall separation in between the zones, and various other 
security controls to monitor log-in and to prevent unauthorized ac- 
cess to our systems. 

CMS also protects the Federal Marketplace through intensive 
and stringent security testing. While the Federal Marketplace has 
had some performance issues that could have been addressed 
through more comprehensive functionality and performance test- 
ing, I want to be clear that we have conducted extensive security 
testing for the systems that went live on October 1. We continue 
to test for security on a daily and a weekly basis any new functions 
or code prior to its launch. Of course, we are working around the 
clock to fix our performance issues so that the vast majority of 
users have a smooth experience with the site by the end of the 
month. 

While I cannot go into specifics of our security testing due to the 
sensitive nature, I assure you that CMS conducts continuous 
antivirus and malware scans, as well as monitors data flow and 
protections against threats by denying access to known source-bad 
IP addresses and actors. Additionally, we conduct two separate 
types of penetration testing on a weekly basis. The most recent 
penetration testing showed no significant findings. Also on a week- 
ly basis, CMS reviews the operation system infrastructure and the 
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application software to be sure that these systems are compliant 
and do not have vulnerabilities. Vulnerabilities are often fixed im- 
mediately on-site, and retested to ensure the strength of our sys- 
tem’s security. Each month, we review our plan of action and mile- 
stones in order to continuously improve our system’s security. 

For the Federally Facilitated Marketplace, we conduct security 
control assessments on a quarterly basis, which is beyond the 
FISMA requirements. As of today, no vulnerabilities identified by 
our tests have been exploited through an attack. Because of CMS’s 
experience running trusted secure programs, our fulfillment of Fed- 
eral security standards and constant and routine security moni- 
toring and testing, the American people can be confident in the pri- 
vacy and security of the marketplace. 

Thank you, and I would be happy to answer your questions. 

[The prepared statement of Mr. Chao follows:] 
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U. S. House Committee on Enei^ ACommerce 
Subcommittee on Oversight and Investigations 
“Security of HealthCare.gov” 

November 19, 2013 

Good morning. Chairman Murphy, Ranking Member DeGette, and members of the 
Subcommittee. Since the passage of the Affordable Care Act, the Centers for Medicare & 
Medicaid Services (CMS), in partnership with private sector contractors, has been hard at work 
to design, build, and test secure systems that ensure Americans are able to enroll in affordable 
health care coverage. I serve as CMS’s Deputy Chief Information Officer (CIO), and I am a 
career civil servant. As Deputy CIO, my role has been to guide the technical aspects of 
Marketplace development and implementation in accordance with all applicable laws, 
regulations, and agreements. While consumers using HealthCare.gov have been frustrated in 
these initial weeks after the site’s October 1, 2013 launch, CMS is working around the clock to 
address problems so that the site works smoothly for the vast majority of users by the end of this 
month. 

Overview of Marketplace Information Technology (IT) 

The Affordable Care Act directs states to establish State-based Marketplaces by January 1, 2014. 
In states electing not to establish and operate such a Marketplace, the Affordable Care Act 
requires the Federal Government to establish and operate a Marketplace in the state, referred to 
as a Federally-facilitated Marketplace. The Marketplace provides consumers access to health 
care coverage through private, qualified health plans, and consumers seeking financial assistance 
may qualify for insurance affordability programs like Medicaid, the Children's Health Insurance 
Program (CHIP), or the advance payment of the premium tax credits and cost-sharing reductions 
that can lower consumers’ upfront and out-of-pocket costs. 

Marketplace IT System Functions 

To fulfill the functions specified in the Affordable Care Act, Federally-facilitated and State- 
based Marketplaces developed eligibility and enrollment, redetermination, and appeals systems. 
In many ways, these systems are similar to what private issuers, Medicare Advantage issuers. 
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and State Medicaid agencies currently use to determine eligibility, enroll applicants into health 
coverage, process appeals, and perform customer service, as well as prevent fraud, waste, and 
abuse. 

These systems: 

• Determine a consumer’s eligibility to enroll in a qualified health plan through the 
Marketplace and for insurance affordability programs; 

• Transmit consumer information to state Medicaid/CHIP agencies or the private, qualified 
health plan issuer they have chosen; 

• Redetermine consumer eligibility status during the year, as needed; and 

• Allow individuals to appeal an eligibility determination. 

Privacy, Security, and Integrity Controls for the Marketplace IT Systems 
A key feature of the Marketplace IT systems is that they employ stringent privacy and security 
controls to safeguard consumer data. CMS developed the data services Hub and Federally- 
facilitated Marketplace eligibility and enrollment system consistent with Federal statutes, 
guidelines and industry standards that ensure the security, privacy, and integrity of systems and 
the data that flows through them. All of CMS’ IT systems — including Federal Marketplace 
systems of records and systems used to support State-based Marketplaces and Medicaid/CHIP 
agencies — are subject to the Privacy Act of 1974, the Computer Security Act of 1987, and the 
Federal Information Security Management Act of 2002 (FISMA). These systems must also 
comply with various rules, regulations, and standards promulgated by the Department of Health 
and Human Services (HHS), the Office of Management and Budget, the Department of 
Homeland Security, and the National Institute of Standards and Technology (NIST). 

Key Marketplace IT Functions 

To facilitate the back-end online eligibility and enrollment, redetermination, and appeals 
functions consumers access through HealthCare.gov, CMS developed two key tools, in 
partnership with private sector contractors. CMS contracted with QSSI to build the Hub, which 
provides an electronic connection between the eligibility systems of the Marketplace and State 
Medicaid and CHIP agencies to already existing, secure Federal and state databases to verify the 
information consumers provide in their applications for coverage. In addition, CMS contracted 
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with CGI Federal to build the Federally-facilitated Marketplace eligibility and enrollment 
system, which consumers use to create an account on HealthCare.gov, verify their identity, fill 
out an electronic application to determine their eligibility for health care coverage through 
private, qualified health plans, Medicaid, CHIP or other insurance affordability programs, choose 
a health insurance plan and ultimately enroll in health coverage. 

The Data Services Hub 

CMS designed the Hub, a routing tool that helps the Marketplace and State Medicaid and CHIP 
agencies provide accurate and timely eligibility determinations. The Hub verifies data against 
information contained in already existing, secure and trusted Federal databases. CMS has 
security and privacy agreements with all Federal agencies and states connecting to the Hub. 
These include the Social Security Administration, the Internal Revenue Service, the Department 
of Homeland Security, the Department of Veterans Affairs, Medicare, TRICARE, the Peace 
Corps and the Office of Personnel Management. The Hub increases efficiency and security by 
eliminating the need for each Marketplace, Medicaid agency, and CHIP agency to set up separate 
data connections to each database. Risk increases when the number of connections to a data 
source increase — ^which is why CMS has designed the Hub to minimize these risks. The Hub 
provides one highly secured connection among trusted Federal and state databases instead of 
requiring each agency to set up what could have amounted to hundreds of independently 
established connections. Further, the Hub is not a database; it does not retain or store 
information. It is a routing tool that can validate applicant information from various trusted 
Government databases through secure networks. 

Every Federal IT system must comply with rigorous standards before the system is allowed to 
operate. The Hub’s independent Security Controls Assessment was completed on 
August 23, 2013 and it received an authorization to operate on September 6, 2013. This 
authorization confirms that the Hub complies with Federal standards and that CMS implemented 
the appropriate procedures and safeguards necessary for the Hub to operate securely. 

The Hub and the Federally-facilitated Marketplace eligibility and enrollment system have several 
layers of protection in place to mitigate information security risk. For example, these 
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Marketplace IT systems will employ a continuotis monitoring model that will utilize sensors 
and active event monitoring to quickly identify and take action against irregular behavior and 
unauthorized system changes that could indicate a potential incident. If a security incident 
occurs, an Incident Response eapability would be activated, which allows for the traeking, 
investigation, and reporting of incidents. This allows CMS to quickly identify security incidents 
and ensure that the relevant law enforcement authorities, such as the HHS Office of Inspector 
General Cyber Crimes Unit, are notified for purposes of possible criminal investigation. As with 
all systems, the responsibility to safeguard information is an ongoing process, and CMS will 
remain vigilant throughout operations to anticipate and protect against data security concerns. 
The Marketplace IT monitoring program will continually be reviewed for effectiveness of the 
IT’s security controls, through methods that include independent penetration testing, automated 
vulnerability scans, system configuration monitoring, and active web application scanning. 

The Federally-Facilitated Marketplace Eligibility and Enrollment System 
As described above, the Affordable Care Act directs states to establish State-based Marketplaces 
by January 1, 2014. In states electing not to establish and operate such a Marketplace, the 
Affordable Care Act requires the Federal Government to establish and operate a Marketplace for 
the state, referred to as a Federally-facilitated Marketplace. CMS contracted with CGI Federal to 
build the Federally-facilitated Markeqtlace system, including the eligibility and enrollment 
system. This system lets consumers establish a HealthCare.gov account that they can return to at 
any point in the application process, and the system connects to the Hub to validate the 
information consumers submit. Once consumer information is verified, the eligibility and 
enrollment system forwards consumer applications to an eligibility tool to determine the 
consumer’s eligibility for Medicaid, CHIP, or tax subsidies. For those consumers eligible for tax 
subsidies, it then allows consumers to compare qualified health plans and start to enroll in the 
plan of their choosing, transferring the consumer’s information to the issuer to complete the 
enrollment process. 


Separate from the Federally-facilitated Marketplace eligibility and enrollment system on 
HealthCare.gov is a premium estimation tool, launched on October 10, 2013, that allows 
consumers to browse health plans without creating a HealthCare.gov account. While the tool 
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could only sort consumers into two age categories when it was first launched, its functionality 
will be expanded to accommodate additional scenarios to better fit consumer shopping profiles. 
This tool is different from the Federally-facilitated Marketplace application because 
determinations about consumers’ eligibility for insurance affordability programs, Medicaid, and 
CHIP are specific to the characteristics of an applicant and his or her household and can only be 
calculated when an application is completed — ^after income, citizenship, and other information is 
verified. 

The Federally-facilitated Marketplace eligibility and enrollment system consists of numerous 
modules. Each module of this system was tested for functionality. Each interface with our 
business partners and other Federal agencies was also tested. Numerous test cases were used to 
exercise the end-to-end functionality of the system. Given the user experience, we know now 
that we underestimated the volume of users who would attempt to log onto the system at the 
same time, and therefore our testing did not include performance testing at the volume we 
experienced at launch. 

On September 27, 2013, CMS granted authority for the Federally-facilitated Marketplace 
eligibility and enrollment system to begin operations, with authority to operate for six months. 
Consistent with security practices as required by FISMA and NIST, CMS identified a number of 
strategies that we are deploying to continue to monitor operations and mitigate any potential risk, 
including through regular additional testing. The authorization to operate the Federally- 
facilitated Marketplace eligibility and enrollment system is consistent with NIST guidance. 
FISMA and the NIST Risk Management framework permit agencies to authorize an “authority to 
operate” when there is a risk-mitigation strategy in place. To follow through on the risk 
mitigation strategy identified in the authorization to operate the Federally-facilitated Marketplace 
eligibility and enrollment system, we continue to conduct security testing on an ongoing basis as 
we add new IT functionality. 

Improvements to the Federally-facilitated Marketplace Eligibility and Enrollment System 

While the Hub is working as intended, after the launch of the Federally-facilitated Marketplace 
eligibility and enrollment system, numerous unanticipated technical problems surfaced which 
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have prevented some consumers from moving through the account creation, application, 
eligibility, and enrollment processes in a smooth, seamless manner. Some of those problems 
have been resolved, and the site is functioning much better than it did initially. We are 
committed to fixing these problems so that the experience using the Federally-facilitated 
eligibility and enrollment system improves for the vast majority of consumers by the end of 
November 2013. 

To ensure that we make swift progress, and that the consumer experience continues to improve, 
our team called in additional help to solve some of the more complex technical issues we are 
encountering. We brought on board management expert and former CEO and Chairman of two 
publicly-traded companies, Jeff Zients, to work in close cooperation with our team to provide 
management advice and counsel to the project. We have also enlisted the help of QSSI to serve 
as a general contractor for the project. They are familiar with the complexity of the system, and 
the work they provided — the Hub — is working well and performing as it should. They are 
working with CMS leadership and contractors to prioritize the needed fixes and make sure they 
get done. 

A number of fixes have already been completed. One place where we have seen a lot of 
consumer frustration is in the ability to successfully create an account. This issue is something 
that we identified on October 1 , and we have made significant progress since then to deliver a 
much smoother process for consumers. Users can now successfully create an account and 
continue through the full application and enrollment process. We are now able to process nearly 
17,000 registrants per hour, or 5 per second, with almost no errors. 

The tech team put into place enhanced monitoring tools for HealthCare.gov, enabling us to get a 
high level picture of the Federally-facilitated Marketplace eligibility and enrollment 
system. Thanks to this work, we are now better able to see how quickly pages are responding, 
and to measure how changes improve user experience on the site. 


We reconfigured various system components to improve site responsiveness. This has increased 
performance across the site, but in particular the viewing and filtering of health plans during the 
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online shopping process now responds in just seconds. It was taking minutes. We have also 
resolved issues with how the eligibility notices are presented to consumers. They now display 
properly at the completion of the application process. 

Other fixes include software configuration changes and optimization that have increased the 
efficiency of system interactions. We also added capacity by doubling the number of servers and 
have replaced the virtual database with a high-capacity physical one. This allowed us to be more 
efficient and effective in our processing time and significantly reduced the account registration 
failures. While significant work remains, these changes are already making the shopping process 
easier for consumers. 

Conclusion 

CMS is committed to creating safe, secure, and resilient IT systems that help expand access to 
the quality, affordable health coverage every American needs. We are encouraged that the Hub is 
working as intended, and that the framework for a better-functioning Federally-facilitated 
Marketplace eligibility and enrollment system is in place. By enlisting additional technical help, 
aggressively monitoring for errors, testing to prevent new issues from cropping up, and regularly 
deploying fixes to the site, we have already made significant improvements to the performance 
and functionality of the system. We expect that over the next few weeks, consumers will see 
improvements to the site each week, and that the consumer experience using the Federally- 
facilitated Marketplaces eligibility and enrollment system through HealthCare.gov will be 
greatly improved for the vast majority of users by November 30. 
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Mr. Murphy. Thank you, Mr. Chao. I will recognize myself first 
for 5 minutes. 

Mr. Chao, for the last year, members of this committee have 
asked you and others in the administration about the status of the 
launch of the President’s healthcare law. We wanted to know if you 
would be ready for the October 1 start of enrollment. Over and 
over, we were assured that all was well and everything was on 
track. 

The documents produced to the committee show a different pic- 
ture, and I would like to walk through a couple of them with you. 

In mid-March, you made a candid comment that you didn’t want 
the Exchange Web site to be a Third World experience. Now the 
committee has learned about a report prepared by committee for 
senior HHS and White House officials, and presented to these offi- 
cials in late March and early April this year. That document is tab 
1 of your document binder. This document highlights a number of 
risks facing Healthcare. gov’s launch, late policy, delayed designs, 
and building time and limited to a test. 

When did you first see this presentation? 

Mr. Chao. I haven’t seen that presentation. 

Mr. Murphy. You were not briefed at all that there was a 
McKinsey report presentation going on? 

Mr. Chao. I knew that McKinsey had been brought in to conduct 
some interviews and assessments and report to our administrator, 
in which I actually participated in some of those 

Mr. Murphy. You participated in the interviews when McKinsey 
was exploring this? 

Mr. Chao. Right, but I was not given the final report. 

Mr. Murphy. Were you aware that they had met with Secretary 
Sebelius, Marilyn Tavenner, Gary Cohen and others at CMS Head- 
quarters, HHS Headquarters, the Executive Office Building and 
the White House? 

Mr. Chao. We 

Mr. Murphy. Any of those incidences? 

Mr. Chao. I believe there were some meetings that I heard of, 
but I don’t know the exact dates when they occurred. 

Mr. Murphy. Now, part of your job is to make sure that this Web 
site is working, am I correct? 

Mr. Chao. Correct. 

Mr. Murphy. And so this was a major report that went as high 
up as the Secretary, maybe others, we don’t know, but saying that 
there were serious problems with this. And you are saying that, 
even though you were interviewed by this, you did not ever have 
this briefing yourself? 

Mr. Chao. No, I didn’t. 

Mr. Murphy. You knew it existed? 

Mr. Chao. I had heard that there was a final report out, but I 
didn’t see the actual report. 

Mr. Murphy. Did anything change for you in recognizing that 
this report was out there, basically telling people working on the 
HHS Web site that there were serious problems, no end-to-end 
testing, that other various aspects of it? 
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Mr. Chao. I can’t really tell you or speak to you of the contents 
of that report because I did not see it, and I didn’t hear about it 
until actually it was in The Washington Post. 

Mr. Murphy. I mean certainly, this is part of the concerns we 
have, and we are not making this stuff up. It is a matter that we 
have a Web site out there which untold millions, tens of millions 
or hundreds of millions are spent on this Web Site, which you have 
major leadership role here. McKinsey is hired to come and present 
what the problems are, and lay out a roadmap of those problems. 
I am deeply concerned that this is something that you knew existed 
but had not read. 

So when were you first concerned that the administration wasn’t 
going to be ready October 1 for the start of the open enrollment? 

Mr. Chao. I never thought that. I had relative 

Mr. Murphy. But you made a comment about you didn’t want 
this to be a plane crash. 

Mr. Chao. Well, you are referring to the email 

Mr. Murphy. Yes. 

Mr. Chao [continuing]. Exchange that I had with several 

Mr. Murphy. Yes, certainly that email didn’t say everything is 
going fine, congratulations team. 

Mr. Chao. Of course — I 

Mr. Murphy. It said I don’t want this to be a — so you must have 
had some awareness that some problems existed. 

Mr. Chao. Chairman, you have to understand, and the com- 
mittee, that I have been working on this since mid-2010 

Mr. Murphy. And we appreciate that. 

Mr. Chao [continuing]. And I have — I am a very cautious and — 
you know, I err on the side of caution and urgency because, even 
back in 2010, I didn’t believe that, you know, everything would be 
easy and just, you know, going along smoothly. So on a regular 
basis, I work with a lot of my contractors and my staff to sensitize 
them on the sense and level of urgency that is involved. 

Mr. Murphy. Absolutely. Especially with McKinsey was called in 
to prepare this document which was important enough for them to 
have meetings at CMS, HHS, with the Secretary of Health and 
Human Services, at the Executive Office Building and at the White 
House, describing the level of problems. So I appreciate your sensi- 
tivity and awareness to that. I am concerned you saying you have 
not even read this yet. 

Your testimony mentions the use of sensors and active event 
monitoring. You state that if an event occurs, an instant response 
capability is activated. Has that happened yet? 

Mr. Chao. Yes. 

Mr. Murphy. How many times? 

Mr. Chao. You mean whether if we are conducting 

Mr. Murphy. No, an instant response 

Mr. Chao [continuing]. An instant response 

Mr. Murphy [continuing]. Capability. Well, first of all, has any- 
thing happened yet, any hackers, any breaches, anyone trying to 
get into the system from the outside, has that occurred yet? 

Mr. Chao. I think that there was 1 incident that I am aware of, 
but it requires that we go to a classified facility and to actually 
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Mr. Murphy. Only once since the — where — but you are saying no 
other attempts to breach into this system have occurred? 

Mr. Chao. Not successful ones, no. 

Mr. Murphy. Not since when? 

Mr. Chao. Not successful ones. 

Mr. Murphy. All right. Now, when there are attempts, who do 
you report this to? 

Mr. Chao. It is a combination of a series of authorities that are 
involved. 

Mr. Murphy. Law enforcement? 

Mr. Chao. Well, through our incident reporting and breach re- 
porting processes that go through our agencies, various key leader- 
ship and then up through the department, as well as we have a 
Security Incident Response Center at the department that works 
with US-CERT at DHS. 

Mr. Murphy. Thank you. We will follow-up subsequently. 

I know I am out of time, so we will now recognize Ms. DeGette 
for 5 minutes. 

Ms. DeGette. Thank you very much, Mr. Chairman. 

First of all, Mr. Chao, and also to the contractors, something you 
said in your opening I think we should really take heed, which is 
you want to be careful not to divulge sensitive information about 
the security designs of the Web site. Is that right? 

Mr. Chao. That is correct. 

Ms. DeGette. So I would say to you and to the contractors, and 
I think the majority would agree with me, if there is a question 
asked about that sensitive information, if you would just let us 
know and then we can take it into executive session, or whatever 
we need to do. 

Ms. Murphy. Absolutely. 

Mr. Chao. Certainly. 

Ms. DeGette. Thank you, Mr. Chairman. 

Now, Mr. Chao, the chairman was asking you about this memo 
that you had — or it is an email, and it was on Tuesday, July 16. 
If you can take a look at tab 7 in your document binder, please. 
That is a copy of your memo, and it looks to me in reading it that 
you were basically telling people that you wanted to make sure this 
Web site got up and going. Is that right? 

Mr. Chao. Yes. 

Ms. DeGette. And that was your view, right? 

Mr. Chao. Yes. 

Ms. DeGette. Did you take further actions after July 16 to try 
to get the Web site up and going? 

Mr. Chao. It was a constant daily effort. 

Ms. DeGette. And it still is, isn’t it? 

Mr. Chao. To improve it, certainly. 

Ms. DeGette. Yes. OK, I would like you now to take a look at 
tab 1 of your document binder. Now, Mr. Chao, this is the docu- 
ment that was given to The Washington Post yesterday by the ma- 
jority, and also simultaneously to the Democrats on the committee. 
This is the document the chairman was asking you about in his 
opening statement. Have you ever seen this document before? 

Mr. Chao. No, I haven’t. 
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Ms. DeGette. ok, so you don’t really know about whatever it 
might have said in that document, right? 

Mr. Chao. No, I 

Ms. DeGette. OK, thanks. 

Mr. Chao. I believe it is an executive level briefing for 

Ms. DeGette. Right, but you weren’t — you didn’t — you weren’t 
part of that briefing? 

Mr. Chao. No. 

Ms. DeGette. OK. That doesn’t mean though that you weren’t 
concerned about the Web site working and trying to make it work. 

Mr. Chao. Well, of course. I think in some of the interviews with 
McKinsey, you know, I think some of what is in here could have 
potentially come from information that 

Ms. DeGette. But you wouldn’t know that because you didn’t 
see it. 

Mr. Chao. No, I 

Ms. DeGette. OK. 

Mr. Chao [continuing]. Don’t see how it was formed. 

Ms. DeGette. I want to talk to you about the topic of this hear- 
ing now for a few minutes, and that is the issue of security. And 
I think I heard you say both in your opening and in response to 
questioning by the chairman, I just wanted to ask again. Have 
there been vulnerabilities that have been discovered since the Web 
site unveiled on October 1? 

Mr. Chao. Security vulnerabilities 

Ms. DeGette. Yes. 

Mr. Chao [continuing]. Have not necessarily been reported in 
terms of it being a security threat. I think there was some misuse 
of terminology of something like 16 incidents reported that — in a 
previous DHS testimony a couple of days ago, but they were actu- 
ally incidents involving disclosure of PII information, and it wasn’t 
due to the result of anyone trying to attack the Web site. 

Ms. DeGette. What was it a result of? 

Mr. Chao. It was dealing with some training issues at the call 
center, or we had a system issue where if you had similar 
usernames and you chose a special character at the end of that 
username, for example, if your name is Smith and you chose an @ 
sign at the end of the username, sometimes that @ sign was treat- 
ed like a — what we call a wildcard search, so the return log-in in- 
formation about someone else, but that since — since was reported, 
has been fixed as of today. 

Ms. DeGette. That problem has been fixed so that is 

Mr. Chao. Yes. 

Ms. DeGette [continuing]. Not happening anymore? 

Mr. Chao. It is not a hacker 

Ms. DeGette. Now, you have been at the Agency how long, sir? 

Mr. Chao. Approximately 20 years. 

Ms. DeGette. And in working on the other sensitive areas. 
Medicare and other areas, is this common that sometimes there 
might be a little bump like this? 

Mr. Chao. Fairly common. 

Ms. DeGette. Uh-huh, and what does the Agency do when that 
is identified? 
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Mr. Chao. We have an extensive set of processes and controls in 
place with designated personnel to handle whether they are 

Ms. DeGette. And 

Mr. Chao [continuing]. For example, security breaches versus 
the personally identifiable information-type incidents, data loss. 

Ms. DeGette. And there is continuing testing, is that right? 

Mr. Chao. Correct. 

Ms. DeGette. Now, MITRE has been performing assessments for 
CMS, is that correct? 

Mr. Chao. Correct. 

Ms. DeGette. And what that does is it gives the contractors the 
opportunity to identify and resolve security vulnerabilities, is that 
correct? 

Mr. Chao. I think what is — the benefit is that we use a set of 
contractors to independently test the system so that we are not 
taking the words of, let us say, for example, QSSI or CGI them- 
selves performing security testing. So this independent testing pro- 
vides us a more, you know, balanced view of 

Ms. DeGette. And is this ongoing, this 

Mr. Chao. Yes. 

Ms. DeGette [continuing]. This independent testing? 

Mr. Chao. It is on a daily and weekly basis. 

Ms. DeGette. Thank you very much, Mr. Chairman. 

Mr. Murphy. The Chair now recognizes Mr. Barton for 5 min- 
utes. 

Mr. Barton. Thank you, Mr. Chairman. 

In Mr. Dingell’s opening statement, and to some extent what Ms. 
DeGette just said, I am reminded of the movie “Casablanca,” and 
Claude Rains, the French chief of police, goes into Rick’s Cafe and 
says, “I am shutting it down, I am shutting it down.” And Rick 
comes up, who is played by Humphrey Bogart, and says, “Why are 
you shutting us down?” And Claude Rains, the chief of police, says, 
“I am shocked, shocked, to learn there is gambling going on,” just 
as the croupier comes up and says to Claude Rains, “Your 
winnings, sir." 

It is interesting and amusing that the past master running this 
committee, Mr. Dingell, would be shocked, shocked and amazed 
that something was given to The Washington Post yesterday. Now, 
I am not saying that it was, I don’t know, but if it did happen, it 
wouldn’t be the first time in this committee’s history that docu- 
ments were given to the press at approximately the same time they 
were distributed to the members of the committee. 

Mr. Dingell. If the gentleman would yield, I didn’t say I was 
shocked, I said I was grateful I had the subscription to The Wash- 
ington Post so I could keep track of what 

Mr. Barton. Well 

Mr. Dingell [continuing]. Is going on in the committee 

Mr. Barton. Well 

Mr. Dingell [continuing]. Along with my Republican 

Mr. Barton [continuing]. Reclaiming my time from my — which is 
my time, from my good friend. What shocks me is that Mr. Chao, 
our witness, who is the Deputy Chief Information Officer and Dep- 
uty Director of the Office of Information and Services for Medicare 
and Medicaid, who has been identified numerous times as the chief 
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person in charge of preparing this Weh site at the CMS level, was 
not aware of this document. I mean to me, that is what is shocking. 

So my first question to you, sir, is when were you made aware 
of this McKinsey hriefing document? 

Mr. Chao. I think I was aware that some document was being 
prepared, because I had gone through the interviews, but towards 
the end when the briefings occurred, I was not part of them, nor 
was I given a copy. 

Mr. Barton. I mean, were you aware that McKinsey had been 
hired to come in and basically troubleshoot the status of the Web 
site? 

Mr. Chao. I don’t think they were brought in to troubleshoot, I 
think they were brought in to make an assessment by conducting 
various interviews with key 

Mr. Barton. Did 

Mr. Chao [continuing]. Stakeholders. 

Mr. Barton. Did this group ever talk to you? 

Mr. Chao. Yes. 

Mr. Barton. OK, so they did come in and at least visit with you? 

Mr. Chao. Yes, they have interviewed me before. 

Mr. Barton. Once, twice, a dozen? 

Mr. Chao. Probably at least two times from what I recall. 

Mr. Barton. OK. Now, since you have been made aware of the 
document 

Mr. Chao. Well, I 

Mr. Barton [continuing]. Have you studied it? 

Mr. Chao. No, I was not made aware of the document. I was 
interviewed by the team that put that together. When the docu- 
ment was assembled, I didn’t get a copy of it. 

Mr. Barton. OK. Well, as Mr. Dingell has pointed out, it is in 
The Washington Post. So have you — ^before coming before this sub- 
committee this morning, have you perused this document? 

Mr. Chao. No, I have not. 

Mr. Barton. You have not perused this document, OK. Well, on 
page 1 of the document, it says the working group, whoever that 
is, maybe you can enlighten us on that, determined that extending 
the go-live date, which, as we all know, is October the 1st, should 
not be a part of the analysis and, therefore, worked with a bound- 
ary condition of October the 1st as the launch date. Now, in plain 
English, what that means is somebody decided we couldn’t delay 
the startup date so, by golly, we are going to assume it is going 
to go live on October the 1st. 

Were you a part of the working group that made that decision? 

Mr. Chao. No. 

Mr. Barton. Do you know who the working group was that made 
that decision? 

Mr. Chao. No. 

Mr. Barton. Do you have any idea, was it the President and the 
Secretary of Health and Human Services, or was it somebody below 
your level that made a decision somewhere in the bowels of the bu- 
reaucracy? 

Mr. Chao. I think that it probably was a conglomerate of sev- 
eral — 

Mr. Barton. A conglomerate? 
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Mr. Chao [continuing]. Key leadership that came to that conclu- 
sion. 

Mr. Barton. OK. Did you 

Mr. Chao. I was 

Mr. Barton. Did you have any decision-making authority your- 
self about when the start-up date should he? 

Mr. Chao. No. 

Mr. Barton. That was not in your authority to say we are going 
to have to put it off or make a decision to go forward? 

Mr. Chao. No, I do not get to pick what date. 

Mr. Barton. Do you know who did have that decision-making 
authority? 

Mr. Chao. I believe it is our administrator, Marilyn Tavenner, 
and potentially other folks, but primarily I take my direction from 
Marilyn Tavenner. 

Mr. Barton. All right. Well, Mr. Chairman, my time has expired, 
but I will just say in summing up, we are concerned at multiple 
levels, but if you review this CMS document, which I did not see 
until just now, this morning, it doesn’t take but about 10 minutes 
to go through and look at it, and it is absolutely clear that the 
startup of the Web site was not going to work well, if at all, on Oc- 
tober the 1st. It was not. And it says that in here. 

So with that, I yield back. 

Mr. Murphy. Thank you. Gentleman’s time has expired. 

The Chair now recognizes Mr. Dingell for 5 minutes. 

Mr. Dingell. Chairman, I thank you for the recognition and 
thank you for holding this hearing. 

We are over 6 weeks into the implementation of the Affordable 
Care Act, and while the functionality of the Healthcare.gov Web 
site has improved, it is clear there is more work to be done, and 
I am hopeful that the subcommittee will work hard to achieve that 
goal. 

ACA is the law of the land, and I believe we share the goal of 
making it a functioning and secure Web site, however, it is impor- 
tant to remember that we can never fully eliminate the risks when 
building a large IT system, and so we must take steps to mitigate 
them. I would also urge that we take the necessary steps to make 
the program work, because this is the largest undertaking of this 
character I believe that we have ever seen by a Government any- 
where. 

First question, yes or no. Is CMS responsible for developing the 
Data Services Hub and the eligibility enrollment tools for the Fed- 
erally Facilitated Marketplace? Yes or no, Mr. Chao? 

Mr. Chao. Yes. 

Mr. Dingell. Now, Mr. Chao, are these projects required to com- 
ply with the Privacy Act of 1974, the Computer Security Act of 
1987, the Federal Information Security Management Act of 2002? 
Yes or no? 

Mr. Chao. Yes. 

Mr. Dingell. Now, additionally, CMS must also comply with reg- 
ulations and standards promulgated by the National Institute of 
Standards and Technology at the U.S. Department of Commerce. Is 
that correct? 

Mr. Chao. Yes. 
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Mr. Dingell. Now, these NIST standards require CMS to bal- 
ance security considerations with operational requirements. Is that 
correct? 

Mr. Chao. Yes. 

Mr. Dingell. Mr. Chao, once the key pieces of Healthcare.gov 
Web site is the Data Hub. Is this a large repository of personal in- 
formation as some of my friends on the other side have claimed? 
Yes or no? 

Mr. Chao. No. 

Mr. Dingell. Say that again. No? 

Mr. Chao. No, it does not store any 

Mr. Dingell. OK, I want 

Mr. Chao [continuing]. Personal 

Mr. Dingell. I want that on the record and clearly heard. Does 
the Data Hub retain any personal information at all? Yes or no? 

Mr. Chao. No. 

Mr. Dingell. Indeed, is it fair to say that the Data Hub is a tool 
to transmit eligibility information to Federal agencies? Yes or no? 

Mr. Chao. Yes. 

Mr. Dingell. Now, did the Data Hub pass a security test to the 
October 1 launch of Healthcare.gov? Yes or no? 

Mr. Chao. Yes. 

Mr. Dingell. All right, is the Data Hub working as intended 
today? Yes 

Mr. Chao. Yes. 

Mr. Dingell [continuing]. Or no? 

Mr. Chao. Yes. 

Mr. Dingell. And is there any evidence to the contrary? 

Mr. Chao. No. 

Mr. Dingell. Is there any evidence of breaches or lack of secu- 
rity of personal data or information by any person who has sub- 
mitted such data to this undertaking? Yes or no? 

Mr. Chao. No. 

Mr. Dingell. It is always true — our duty to remember how our 
healthcare system operated prior to the passage of the ACA. At 
that time, insurance companies were allowed to medically under- 
write people to determine their premium. This required lengthy, 
confusing applications, and contained a lot of personal medical in- 
formation. Oftentimes this was submitted electronically as well. 
ACA has changed all of this. 

Now, in fact, this is a question to you again, Mr. Chao. In fact, 
application forms on Healthcare.gov do not require the submission 
of any personal health information. Is that correct, yes or no? 

Mr. Chao. Yes. 

Mr. Dingell. Now, Mr. Chao, that is because ACA prohibits dis- 
crimination on the basis of pre-existing conditions, and outlaws 
charging people more because they are sick. Is that correct? 

Mr. Chao. Yes. 

Mr. Dingell. So the information is not necessary? 

Mr. Chao. It is not. 

Mr. Dingell. And it is not correct — and it is not collected? 

Mr. Chao. It is not collected. 

Mr. Dingell. All right, this is a remarkable improvement over 
the old system in terms of both security and the quality of care. 
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Next question. There are a lot of negative stories in the press 
that create a lot of confusion, so I want to get this record straight. 

Is Healthcare.gov safe and secure for my constituents to use 
today with regard to protection of their personal information and 
their privacy? Yes or no? 

Mr. Chao. Yes. 

Mr. Dingell. Is there any evidence at all to the contrary? 

Mr. Chao. No. 

Mr. Dingell. Mr. Chairman, you have been most gracious. I 
yield you back 12 seconds. 

Mr. Murphy. Thank you. 

Now going to recognize Mrs. Blackburn for 5 minutes. Thank 
you. 

Mrs. Blackburn. Thank you, Mr. Chairman. 

Mr. Chao, we really appreciate that you would come and work 
with us on this issue. I want to talk with you for a minute about 
some red flags that seemed to be apparent to you, and you are 
going to find the email I am referencing at tab 7, and it is the July 
16, 2013, email that you sent to Monique Outerbridge. And I really 
want to focus there. You know, when you have something that is 
running off the rails and — as this obviously seemed to you to be 
doing, it was a project that just was not proceeding as it should be 
proceeding, and you expressed these concerns about the perform- 
ance of CGI, what I would like to hear from you is just an articula- 
tion of maybe what were those top 3 or 4 red flags that seemed to 
be going up to you, that you said I fear that the plane is going to 
crash on takeoff, and some of those wordings that we have heard 
from you now. 

So give me just kind of the top 3 or 4 things. 

Mr. Chao. I think in the context of this email, it was at a time 
period in which we were getting ready to roll out what we called 
Light Account, which is that initial registration process. And as I 
mentioned before, I am a person who has a lot of anxiety and I al- 
ways err on the side of caution if we are going to run out of time, 
so I occasionally get a little passionate in my emails to remind peo- 
ple that they need to move fast, and if they are moving fast, they 
need to move faster. That is just the way I operate and the way 
I direct staff and contractors. And what I was afraid of was, at this 
particular point in time, was that we were falling behind in the 
rollout of Light Account. 

Mrs. Blackburn. OK, on Light Account, did your test on that go 
off without a hitch, or what happened? 

Mr. Chao. There — I don’t exactly remember the specifics about 
what tests passed or failed, I just was afraid that we were in jeop- 
ardy of missing the date. So, therefore, you know, I — at that time 
period, starting July, I wrote lots of emails to try to 

Mrs. Blackburn. OK, did you hit the date? 

Mr. Chao. I believe we — it took an extra 4 days. 

Mrs. Blackburn. An extra 4 days? 

Mr. Chao. Yes. 

Mrs. Blackburn. On the test. And you don’t remember exactly 
what the concerns were that came to you at that point in time. Is 
there a memo of review, a memo, an articulation of what 

Mr. Chao. I 
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Mrs. Blackburn [continuing]. Transpired in that test process? 

Mr. Chao. I don’t think it is necessarily a memo. I think the way 
we operate is that we have daily meetings and 

Mrs. Blackburn. Are there minutes from those meetings 

Mr. Chao [continuing]. We 

Mrs. Blackburn [continuing]. And could you submit those to us 
for the record? 

Mr. Chao. I don’t believe that there were minutes. I believe they 
were just status check-ins with, you know, contractors and 
their 

Mrs. Blackburn. Are there notes? 

Mr. Chao. No, I don’t 

Mrs. Blackburn. Informal notes? 

Mr. Chao. I don’t believe so. I think when my emails were 

Mrs. Blackburn. OK. 

Mr. Chao [continuing]. Submitted as evidence 

Mrs. Blackburn. OK. 

Mr. Chao [continuing]. That is kind of a 

Mrs. Blackburn. All right, let me go on a minute. I want to talk 
specifically about CGI. What about, you know, if you all kind of in- 
formally worked in a group, and didn’t have formal meetings or 
minutes and memos and things of that nature, just give me your 
impression, what was it — ^your perception that caused you to lose 
confidence in CGI, where were you on that, because I think it is 
so interesting, you mentioned price and I note in this email chain 
from Monique Outerbridge that they had $40 million already that 
they had taken, they were coming back and asking for another $38 
million. Now, if I had someone who had used up all of their money 
from a project, and then they came back and asked for that much 
more, I think I would have to say, wait a minute. So regardless, 
obviously, the price to you was of tremendous concern. Am I right 
on that? 

Mr. Chao. Correct. 

Mrs. Blackburn. OK, so they had already kind of washed your 
confidence there. What else was it in their conduct that eroded 
your confidence in their ability to transact this portion of business? 

Mr. Chao. I think what I was trying to say is that, relatively 
speaking to, I would say, most project managers that are looking 
at smaller-scale projects, I would say there might be some room to 
be 

Mrs. Blackburn. OK 

Mr. Chao [continuing]. A little more confident, but given the 
task at hand, my confidence level had to deal with the enormous 
amount of activities we had to be successful at to deliver, you 
know, on Light Account, that interim, you know, kind of piece, as 
well as the October 1 delivery. 

Mrs. Blackburn. I yield back. 

Mr. Murphy. Yes, I am just curious, to follow-up to that. Did you 
ever present these concerns that you had about being ready — 
whether or not it would be ready on October 1, when you were 
interviewed by McKinsey people? 

Mr. Chao. Well, this was in the July time frame. I think 
McKinsey was — their interviews were in maybe a March or April 
time frame. 
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Mr. Murphy. I just wondered if you presented any concerns to 
them about being able to meet these dates when you spoke with 
them? 

Mr. Chao. I think as a course of conducting project management, 
program management, that working with CGI and QSSI and my 
team, we discussed these concerns on an ongoing basis. In 

Mr. Murphy. Just one note. I will follow up 

Mr. Chao. OK. 

Mr. Murphy. We will make sure someone follows up. 

Now I will recognize Mr. Waxman for 5 minutes. 

Mr. Waxman. Mid thank you, Mr. Chairman. 

Nobody is happy with this rollout of Healthcare.gov, and the ad- 
ministration has taken its lumps, but aside from lessons learned, 
it seems to me that my focus ought to be and my concern is getting 
this thing working. Americans want to be able to access the Web 
site and choose a healthcare plan, especially those who haven’t 
been able to get an opportunity to buy health insurance in the past. 
That is why it seems to me, if we need legislative changes, we 
should make changes to make it work, not to repeal it. You know, 
the Republicans are so fixated on hating this law and they want 
to repeal it. They don’t even want to consider helping make it 
work, and that is the focus that I want to use in asking you some 
questions, Mr. Chao. How do we make this work better? 

Now, is it accurate to say that CMS is getting the Web site up 
and running? 

Mr. Chao. Yes. 

Mr. Waxman. OK, and is it accurate that CMS has crossed — Cen- 
ter for Medicare and Medicaid Services, that is the department — 
part of HHS that is working on it, they have crossed 200 items off 
its punch list? 

Mr. Chao. Correct. 

Mr. Waxman. And can you give me a few examples of important 
issues that have recently been addressed? 

Mr. Chao. Issues related to the enrollment transactions that had 
some data issues — data quality issues that were fixed, and now 
issuers can receive that data without doing a lot of cleaning up of 
that data. So 

Mr. Waxman. Um-hum. 

Mr. Chao [continuing]. Data quality has improved. The daily 
transactions that we send to them have improved. 

Mr. Waxman. Um-hum. 

Mr. Chao. The response times for the Web site have improved. 
The error rate of people experiencing some level of difficulty with 
moving from stage to stage in their online application, that has 
been reduced and improved. 

Mr. Waxman. Well, in fact, Jeff Zients, the administration’s point 
person on this whole Web site, announced on Friday that you have 
dropped your error rate from 6 percent to below 1 percent, and you 
have cut the average wait time for page loading from 8 seconds to 
less than 1 second. What do these improvements look like to the 
average consumer going on the site? 

Mr. Chao. I think they become transparent to the user. The user 
then can get at the task at hand of filling out their information, 
of finding out if they are asking for a premium tax credit, that they 
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are calculated timely, and they are proceeding ahead in the appli- 
cation so that they can apply some, all or none of that premium 
tax credit to their plan compare so that they can look at the offsets 
that occur, and what the final premium should he, to make their 
selection and to go through the process in a very efficient and 
speedy fashion, as compared to what they experienced on day 1. 

Mr. Waxman. How about the overall stability of the site? It was 
down frequently in the early weeks. Has that improved? 

Mr. Chao. Yes, certainly. I think we do have regular mainte- 
nance windows, but those maintenance windows are used to imple- 
ment these improvements that you have been hearing about. 

Mr. Waxman. So numbers seem to be getting better, and I expect 
we will see more improvements. The anecdotal evidence I get is 
that the site is getting better, slowly but surely, and that explains 
why the enrollment rate in November is speeding up significantly. 
In fact, I do have more than anecdotes, I have some figures. In 
Massachusetts, where they started a similar program, it started off 
slowly, only Yio of a percent of overall enrollees for private cov- 
erage signed up in the first month, and then thus far, in the Af- 
fordable Care Act, 1.5 percent. So both started slowly. We are even 
ahead of what Massachusetts was. But after that, there was a 
surge in enrollment as people got closer to deadlines. 

The LA Times reported that “a number of States that use their 
own systems are on track to hit enrollment targets for 2014 be- 
cause of a sharp increase in November.” California, which enrolled 
31,000 people in private plans last month, nearly doubled that in 
the first 2 weeks of this month, and several other States are out- 
pacing their enrollment estimates. In Minnesota, enrollment in the 
second half of October was triple the rate of the first half So we 
see an acceleration, even in the Federal Marketplace. The New 
York Times reported that the Federal Marketplace has nearly dou- 
bled its private plan enrollment in just the first 2 weeks of Novem- 
ber. 

We are not where we need to be, but we are seeing improve- 
ments, and this increased pace of people going back on the site suc- 
cessfully is, to me, very encouraging. So rather than just attack the 
healthcare law or look for ways to undermine it, we ought to try 
to make it work, and we are anxious to make sure that you do your 
job of getting the Web site and all of that working, and if we need 
any legislative change, call on us because we are ready, willing and 
able to act in that regard. 

Yield back my time. 

Mr. Murphy. The gentleman’s time has expired. 

I now recognize for 5 minutes the gentleman from Texas, Dr. 
Burgess. 

Mr. Burgess. And thank you, Mr. Chairman. Thank you again, 
Mr. Chao, for being here. 

In response to one of Dr. Murphy’s questions about a breach of 
the system, you responded that you could not talk about it in open 
session, that it would require a classified briefing. Is that correct? 
Did I hear you correctly? 

Mr. Chao. Correct. That was — that is how I was instructed by 
our department. 
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Mr. Burgess. Very well. I would like to go on the record as ask- 
ing that that classified briefing with staff — bipartisan staff occur. 
Can I get your commitment on trying to make that happen? 

Mr. Chao. Yes, sir. 

Mr. Burgess. Thank you. So the much-talked-about Red Team 
discussion document from The Washington Post this morning, 
which, of course, you have not seen, and I appreciate that, but you 
were interviewed, in response to Mr. Barton’s questions, you were 
interviewed by the McKinsey team who were developing this? 

Mr. Chao. Yes. 

Mr. Burgess. Do you remember when? 

Mr. Chao. Approximately an April time frame. 

Mr. Burgess. During the time frame that this was being devel- 
oped. Do you recall what you talked about? 

Mr. Chao. I think primarily what I was intimating to the 
McKinsey team was a schedule challenge, because during April, we 
had just started QHP submission, and working with issuers. They 
were very nervous that 

Mr. Burgess. Excuse me, what is QHP? 

Mr. Chao. Qualified health plans. 

Mr. Burgess. OK. 

Mr. Chao. I apologize. And in — during that month, it was a 
rapid, you know, process to collect all the qualified health plan 
data that you see in plan compare on Healthcare.gov now, as well 
as in the State-based marketplaces, and I was remarking on how 
that is unprecedented to only give issuers, you know, that short 
amount of time to submit their data, and that we needed to make 
adjustments in the windows potentially so that they could come 
back in and make corrections. You know, that is an example of 
what I talked about in terms of the schedule challenges that we 
were trying to undertake something large-scale, fairly complex 
compared to what is happening in the insurance landscape today, 
and that this was new and we were working on a short time frame. 

Mr. Burgess. And I will stipulate that those are legitimate con- 
cerns. And so on page 1 of this Red Team document, at the bottom 
of the page, highlighted, the working group determined that ex- 
tending the go-live date should not be part of the analysis, and, 
therefore, work with a boundary condition of October 1 as the 
launch date. In other words, it didn’t matter what the conditions 
on the ground were, come hell or high water, October 1 we have 
got to go live. And were you given that impression by anyone on 
your team as you worked through this? 

Mr. Chao. Not necessarily characterized that way, but as I men- 
tioned — 

Mr. Burgess. Well, let me interrupt you again, my time is lim- 
ited. Who would have made a decision like that, that it doesn’t 
matter — I mean it is like the old saying, it doesn’t matter what — 
don’t check the weather, we are flying anyway. Who would make 
a decision like that? 

Mr. Chao. I think the decision ultimately is made, you know, by 
Marilyn Tavenner and, you know, a team of folks, I suppose, that 
she works with. But as the administrator, she sets the deadlines 
for my work, and 
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Mr. Burgess. Now, some of the people that are referenced in the 
report given to the committee by McKinsey, that people that had 
discussions in the White House, the old Executive Office Building, 
people like Nancy-Ann DeParle, Jeanne Lambrew, do you know if 
they were involved in these decisions? 

Mr. Chao. I can’t speak to that. I didn’t hear anything about 
those discussions. 

Mr. Burgess. Have you been in meetings with Jeanne Lambrew 
and Nancy-Ann DeParle? 

Mr. Chao. Yes. 

Mr. Burgess. And what — could you characterize those meetings? 

Mr. Chao. The ones that I remember were dealing with coordina- 
tion with IRS on their FTI, Federal Tax Information, requirements, 
security protections and the Privacy Act with SSA. 

Mr. Burgess. At any point during those meetings, did it come up 
with the concern that we may not be ready trying to integrate all 
of these moving parts by October 1? 

Mr. Chao. Not in that context, no. 

Mr. Burgess. In any context? 

Mr. Chao. You know, concerns about whether if agencies were 
working closely together, but not really in the context of October 
1, no. 

Mr. Burgess. One of the other things that keeps coming up re- 
peatedly in this report is that, number 1, there were evolving re- 
quirements, there wasn’t a consistent endpoint, there were mul- 
tiple definitions of success, and in spite of all of the concerns 
brought up by the report, it must launch at full volume. I mean it 
almost sounds like a recipe for disaster, doesn’t it? You are chang- 
ing the definition as it goes along, you are not allowed to change 
the date, and you have got to launch at full volume. That is a pret- 
ty tall order, isn’t it? 

Mr. Chao. It is. 

Mr. Burgess. Well, let me ask you this. How does it make you 
feel to know that there was this kind of report out there, and that 
other people knew about it, people in the White House, people 
within the Agency, and you have been the primary point man out 
there and no one discussed it with you? How does that make you 
feel? 

Mr. Chao. I am actually not terribly hurt by it or surprised by 
it. I think the information contained within it is something that I 
live on a day-to-day basis to try to deliver a working system. I 

Mr. Burgess. You are playing into everyone’s worst fear about 
what it is like to be in the bureaucracy. 

Let me ask you this. One of the things brought up in this report 
is that there is not a single implementation leader 

Mr. Murphy. Gentleman’s time has expired. 

Mr. Burgess [continuing]. Do you feel during your time that 
there has been a single implementation leader that you could look 
to for advice and direction through this? 

Mr. Chao. I think I have looked to several because of how 

Mr. Burgess. Name one. 

Mr. Chao. Marilyn Tavenner. 



38 


Mr. Murphy. Gentleman’s time has expired. We are going to 
need to follow up with that. So we will submit those questions for 
the record too. 

Now recognize the gentleman from Texas, Mr. Green, for 5 min- 
utes. 

Mr. Green. Thank you, Mr. Chairman. And like all of us, I have 
some concern, I have some questions in a minute about the 
Healthcare.gov, but I want to just say that, you know, it is frus- 
trating for those of us on this side of the aisle who supported it, 
who actually worked a lot of times on the drafting of different 
versions of the Affordable Care Act, to see what happened on Octo- 
ber 1 without the rollout. And to have it successful, that is the way 
we need to deal with it, because having been here through also the 
prescription drug plan for seniors, that is the way you can get to 
the numbers you really need. So hopefully that will happen. But 
the law is still there, and last Saturday in our district, at least in 
Houston, because in Texas, we are unfortunate, we have some of 
the highest percentage and numbers of uninsured folks in the coun- 
try, and in our congressional district 42 percent of my constituents 
work and don’t have insurance through their employer. So they 
would be qualified to go with the ACA. And we actually did it by 
paper. Now, I have to admit, I can’t remember except — and I 
wasn’t around when Medicare was rolled out. I guess that was the 
last time we rolled anything out by paper, but let me give you the 
results. We had 3 members of Congress, the Mayor of Houston, our 
Republican county judge, and the Secretary of Labor. We actually 
had 800 families show up on a Saturday morning and signed in, 
of course, with multiple attendees per family, nearly 300 people set 
up follow-up appointments after a navigator. We had 88 of the cer- 
tified navigators there. And we don’t know how many applications 
were completed because the number is still be tallied by navigators 
and HHS and our regional office out of Dallas. So there are people 
out there who want to do it. And if we have to do it by paper, we 
will do it, but that is the frustration we have. We want this to work 
because there are millions of people in our country who need this. 
Now, I know the majority in the House may not understand that, 
but I know in our district they do. 

But I don’t know if you have a comment, but let me — and I can 
get to the Healthcare.gov. 

Mr. Chao. I think CMS takes to heart the matter, and I think 
everyone working on this is absolutely serious about improving this 
experience because we know that in districts like yours, there are 
quite a few number of people that need and want to enroll and use 
this benefit. So we are certainly working very hard to make that 
happen. 

Mr. Green. Well, with that success, believe me, we are going to 
do a lot of smaller ones in our district, and try and work with them 
and partner with media companies to maybe get the message out. 

I have a few questions about Healthcare.gov and the important 
goal I think we both share, and sharing is part of the success in 
implementation of the Affordable Care Act, people can have access 
to care they need and when they need it. Part of this goal requires 
that Federal and State exchanges secure the American people can 
trust their information and privacy won’t be compromised. How is 
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the Data Hub used to determine eligibility and enroll applicants 
and process appeals different from the data systems used by other 
Federal agencies, such as Social Security or the IRS? 

Mr. Chao. How is the Data Hub different? 

Mr. Green. Than the other agencies who obviously have up and 
running ways where Social Security and even IRS you can file? 

Mr. Chao. Well, I think what makes it different is that, for ex- 
ample, SSA is the eligibility agency for Medicare. So every night, 
SSA’s field offices load data about accretions and deletions into the 
Medicare Program, and we receive a very large file from them 
every night that we process for 2 to 3 hours to update all of our 
systems, so that providers can see new Medicare beneficiaries 
accreting into the system. That is lots of data moving between 2 
organizations, and it is stored and it is time-intensive. The Data 
Services Hub goes out and, for a requestor of that data, a valid re- 
questor, it reads the data where the source is, transfers it back to 
the requestor in a secure fashion, does not remember the contents 
of that data, and facilitates that without moving massive, you 
know, millions of records of data all at once, all the time, every 
day. It only transfers enough data to get the job done. 

Mr. Green. Were you at the HHS when we have gone through 
two Medicare enrolling by internet? I mean when we shifted from 
having to go into a Social Security office to file the paperwork, you 
can do it online now. 

Mr. Chao. Yes. Yes. 

Mr. Green. And I assume there were some glitches when that 
first started. 

Mr. Chao. Yes. 

Mr. Green. And, of course, we didn’t have a deadline and a roll- 
out and things like that. It was built in over the time so you had 
time to problem solve. And 

Mr. Chao. Right. 

Mr. Green [continuing]. Our problem is we don’t have that time 
to problem solve here in later November, and 

Mr. Chao. I still remember in the mid-’90s, SSA put up the elec- 
tronic benefits statement, and after a few months, they had to take 
it down and it didn’t come back up until years later 

Mr. Green. Well 

Mr. Chao [continuing]. Until they perfected it. 

Mr. Green. OK, thank you, Mr. Chairman. 

Mr. Murphy. Gentleman yields back. 

Now recognize the gentleman from Louisiana, Mr. Scalise, for 5 
minutes. 

Mr. Scalise. Thank you, Mr. Chairman. I appreciate you having 
this hearing, and, Mr. Chao, appreciate you coming to testify before 
the committee. 

We have had a number of hearings like this over the last few 
months, trying to find out first how the rollout was going to work, 
and of course, we have gotten testimony time and time again from 
the administration that the rollout was going to be fine. And then 
I think what is most frustrating is that when this report came out, 
this McKinsey report, that really chronicles the problems that were 
happening months ago, back in March and April, at the same time 
that administration officials were telling us that everything was 
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going to be fine, and to that — and telling American families that 
everything was going to be fine when October 1 hit. I guess there 
are many things about this that trouble me, but first, you know, 
when I look at this, you say you hadn’t seen this report, and I have 
read through a number of these items that McKinsey pointed out 
in the report that they were telling them to somebody in CMS, 
around you, over you, under you, somewhere, but these are things 
that should have been just basic testing requirements. I, you know, 
I used to write software. I actually wrote test plans for software 
rollouts, and, you know, in fact, many of these are just basic com- 
monsense things you do. I mean we — if we made one line of code 
change, we literally would test that over and over in multiple ways, 
let alone major changes. 

What this report talks about is chaos at CMS. Nobody is in 
charge. They talk about the fact that you had multiple people that 
were making multiple changes to — and major design changes to the 
system just weeks prior to testing, I mean — prior to the rollout 
without testing it. I mean did you have a test plan, whether or not 
you read this report, these are things that you should have been 
doing anyway. I mean were you all making changes, big changes 
all the way through, and were you testing any of those changes, or 
just saying, well, you know, they told us October 1, roll it out no 
matter what. 

Mr. Chao. You have asked a lot of questions in there. 

Mr. SCALISE. Yes. 

Ms. Chao. So let me try to recall how to address them. I think 
that certainly, yes, if you have this experience in software develop- 
ment, you need to have solid requirements before you can actually 
have good test cases in which to actually run tests. I think it is a 
dynamically changing environment of which, if we had more time 
and that time would have been devoted to solidifying requirements 
that are translated from policy 

Mr. ScALiSE. You had 3 years. I mean there were 3 years. This 
is not something that just kind of got plopped on your desk. I mean 
the law passed and was signed into law in 2010. There was a lot 
of time to prepare for it. The requirements — the major require- 
ments were changing weeks before, some of them for political rea- 
sons by the Obama administration. So you can’t just say, well, you 
know, we just didn’t have enough time. I mean somebody in CMS, 
and if it wasn’t you, it was — maybe it was Ms. Tavenner or who 
knows who it was, but somebody was making all these changes and 
saying, gee whiz, I mean, you know, we — let us make big changes 
and don’t test it because we just want to roll this thing out no mat- 
ter what. 

Mr. Chao. Well, having written software or written test cases, 
you know that the requirements come from the business side or the 
policy side. And they are subject to change based upon how your 
customer or your business 

Mr. ScALiSE. The law didn’t change. 

Mr. Chao. I 

Mr. ScALiSE. The law was passed, and for 3 years that law didn’t 
change. The law was there. You knew what those requirements 
were. Now, if you make changes in the requirements, you also 
ought to make changes in your test plan. 
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Mr. Chao. I think the law has a very high-level expression of re- 
quirements that, certainly, you can’t develop code or test cases 
from. There needs to be a significant amount of translation into 
lower level details. And that is what I mean by a schedule, chal- 
lenges that we have to receive those requirements and translate 
them into test cases, test data, to exercise the system as well as 
build the system too. So 

Mr. SCALISE. All right, well, look, they talk in this report that 
the contractor received absolutely conflicting direction between the 
various entities within CMS. Conflicting directions within CMS. 
That is not a requirement change. That is one person saying do 
this, and another person in the same agency saying do something 
different. And, by the way, none of that is being tested in the 
meantime. That is not evolving requirements, that is chaos within 
the Obama administration where they are literally changing things 
and multiple people are changing them and nobody is talking to 
anybody. 

Mr. Chao. Well, I can’t speak to how they characterized it, but 
I think that in CMS, we have Medicaid and CHIP requirements, 
we have insurance exchange requirements, oversight requirements, 
medical loss ratio, rate review, early retiree reinsurance, pre-exist- 
ing — 

Mr. ScALiSE. And I know you all have that. Look 

Mr. Chao. There are lots of 

Mr. ScALiSE [continuing]. You have got a job to 

Mr. Chao [continuing]. All I am saying is 

Mr. SCALISE. The bottom line is, the bottom line is, you know, 
this report lays out the chaos that was going on, but all of this in- 
formation was known within the White House. Reports were being 
briefed to people in the White House. And either President Obama 
didn’t know about it, in which case people directly under him knew 
that this thing was going to be a disaster and just didn’t tell him, 
or the President did know about it and went out misleading people 
anyway. But either way, if the President really didn’t know about 
this, this report says the White House absolutely knew what was 
going on, and they didn’t tell the President. He ought to be firing 
these people today. If somebody — if a CEO went out there and said 
I am rolling out this project, this would be just like buying a TV 
on Amazon, that is what the President said, and if somebody right 
underneath him knew that it wasn’t going to be like that, and this 
report says absolutely they knew and they didn’t tell the President, 
he ought to go and fire every single one of those people right now 
and hold them accountable, or maybe that just says that he did 
know about it. And we will see what the President says, but this 
report is damming. 

And I yield back the balance of my time. 

Mr. Murphy. Gentleman’s time has expired. 

Just — can you just clarify an answer you gave to the gentleman 
here? I thought you said something like, with more time, you would 
have done more testing, or something along those lines. Are you 
saying you would have liked to have more time? 

Mr. Chao. No, I think that is what I mean by there is a sched- 
ule, challenges that you are trying to maximize the time that you 
have left, as you are trying to extract the requirements from the 
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policy that is being finalized. The longer a policy takes to be final- 
ized, the longer it takes to translate the 

Mr. Murphy. Do you wish you would have had more time to test 
it? 

Mr. Chao. I think that is true of every project I have ever 
worked on. 

Mr. Murphy. Thank you. 

Now recognize Mr. Yarmuth for 5 minutes. 

Mr. Yarmuth. Thank you, Mr. Chairman. Thank you, Mr. Chao, 
for your testimony today. 

I just want to follow up a little bit on Mr. Scalise’s line of ques- 
tioning, the issue of whether or not you had 3 years to prepare for 
this. When was the deadline for States to decide when they’re — 
they were joining the — doing their own Exchanges or were going to 
participate in the Federal Exchange? 

Mr. Chao. I think the time frame was the end of 2012. 

Mr. Yarmuth. End of 2012. So January 1, essentially, of this 
past year. And when was the deadline for States to decide whether 
they were going to enter into a partnership with the Federal Gov- 
ernment? 

Mr. Chao. I believe it was the end of April of 2013. 

Mr. Yarmuth. So really, the department did — or CMS did not 
have 3 years to prepare, and there was probably no way to guess 
3 years ago that only 14 States and the District of Columbia were 
going to set up their own Exchanges. Wasn’t the anticipation that 
far more States would do their own Exchanges? 

Mr. Chao. Yes, we were hoping so. 

Mr. Yarmuth. So it really wasn’t until this year that CMS really 
understood the magnitude of the volume of work that the Web site 
was going to have to accommodate? 

Mr. Chao. Correct. It is 

Mr. Yarmuth. Right. 

Mr. Chao [continuing]. Not such a clear binary decision. You do 
or you don’t. There is still coordination that has to occur in 

Mr. Yarmuth. Right. Thank you for that. 

Now, obviously, when we are talking about security, we are talk- 
ing about two separate issues; one is the vulnerability of the sys- 
tem to some kind of outside attack. I don’t know why anyone would 
really want to attack the Federal Exchange, but assuming that is 
an issue. The second one is, the average citizen is concerned about 
information that is there about them. And I think that is one thing 
we are most interested here. Mr. Dingell actually asked you di- 
rectly about the fact that there really isn’t very much information 
on the Web site that would be considered private in nature. And 
I guess the question I would ask is, are people who are working 
with the Exchange now subject to or vulnerable to a more of a 
breach of their privacy than they were under the prior system 
when the insurance companies had pages and pages and pages of 
health information, including every doctor they had ever visited, 
every prescription they had ever taken, every medical procedure 
they had undergone and — over a certain period of time? Would you 
say that there was much more vulnerability under that system 
than there would be under the Federal Exchange? 
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Mr. Chao. Much more so because so much more personal infor- 
mation, including health information, was involved in that process. 

Mr. Yarmuth. And I think during the course of questioning we 
have actually done a pretty good job of debunking the issue as to 
whether there really was security problem here. There is no evi- 
dence that there has been, and I think there really hasn’t been any 
evidence presented that would make us doubt that. So I am glad 
about that, and I think that should encourage Americans to partici- 
pate more actively. 

And since — one other thing that has come up, and it involves the 
question of 80 percent, and it is something I want to clarify be- 
cause the press reports have been that the administration has said 
as a metric that 80 percent will be able to get on the site and 
smoothly sign up — enroll for health coverage as of the end of this 
month. That doesn’t mean that the remaining 20 percent won’t be 
able to access affordable quality health insurance, does it? 

Mr. Chao. No. I can’t speak to the exact percentages, but I think 
there is a recognition that some people, whether it be 
Healthcare.gov or any system, for example, if you walked into an 
SSA field office, how many people can actually get their business 
done in one visit, as compared to, you know, the greater majority 
of people? I think some people need extra help. They need assist- 
ance to navigate the process, and I think that that is probably 
what they were referring to. 

Mr. Yarmuth. Thank you very much for that. 

And I just want to do some shameless self-promotion for my 
State right now. As of last Friday, Kentucky, obviously operating 
its own Exchange, 48,000 Kentuckians are enrolled in new health 
insurance, 41 percent of them are under the age of 35. Over 
452,000 visitors have gone to the Web site, 380,000 people have 
conducted preliminary screenings to find out if they are eligible for 
coverage. And I think most importantly maybe, over — almost 1,000 
businesses have actually begun the process of signing up for new 
coverage for their employees, and over 300 have actually been en- 
rolled and have been qualified now to offer coverage. So Kentucky 
is doing well, and I hope the Federal Exchange will do just as well. 

I yield back. 

Mr. Murphy. Gentleman yields back. 

Now recognize Mr. Harper for 5 minutes. 

Mr. Harper. Thank you, Mr. Chairman. And, Mr. Chao, thank 
you for your time here today. 

And you replied earlier on a follow-up question that the chair- 
man had, I believe you said you would have liked to have had more 
time for the testing. Did you request more time from anyone? 

Mr. Chao. No. 

Mr. Harper. And can you tell me why you did not request more 
time? 

Mr. Chao. Because I was given a target of October 1 and various 
other deliver dates, of which I had to stay on schedule for. 

Mr. Harper. Did you believe it was ready for October 1? 

Mr. Chao. I believe we did everything we could to make sure 
that the right priorities were set so that we could deliver a system 
on October 1. 
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Mr. Harper. And do you believe the system was delivered on Oc- 
tober 1? 

Mr. Chao. It was. 

Mr. Harper. Do you believe 

Mr. Chao. It wasn’t performing as well as we liked, and certainly 
had more glitches than we anticipated, but we did deliver a system 
on October 1. 

Mr. Harper. Do you think glitches is the proper word to use to 
describe the rollout? 

Mr. Chao. I think there are problems. There are defects if you — 
you know, glitches is just a word that is commonly used right now. 

Mr. Harper. Well, glitches doesn’t seem to convey how serious 
the failure of the rollout has been, and so here we are. And, of 
course, one of the big concerns that we have is what do you do 
about making sure that personally identifiable information for 
those who sign up is protected. And on the report that you have 
there, on page 11, if I could get you to take a look at that real 
quick. On the McKinsey report. At the bottom of page 11 it says — 
and, of course, at the top it says, options that could be imple- 
mented to help mitigate key risks. At the bottom it says, name a 
single implementation leader and implement associated Govern- 
ment process. Has there been a single implementation leader 
named? 

Mr. Chao. I don’t think that is the way it has been characterized 
before by, I think, Marilyn Tavenner, our administrator, certainly 
has accepted accountability and she does run the agency and 

Mr. Harper. Certainly, but that is not saying that she is sup- 
posed to be the single implementation leader there. Is that how you 
read that report? 

Mr. Chao. I — but again, I didn’t see this until just this very 
minute, so I 

Mr. Harper. All right, when — ^you know, I spent some time here 
while we were waiting on time to question here, I went to the 
Healthcare.gov site, and it took a little while to try to figure out 
how in the search to get to the information on how you protect 
yourself from fraud in the health insurance marketplace. And it 
takes a couple of steps to get to this information. So people prob- 
ably more sophisticated than I am on this would need to be track- 
ing this. But if you look at it on the site, it says how to report sus- 
pected fraud, and it said you can report suspected fraud in one of 
two ways, and it lists a breakdown of one way, which is to use the 
Federal Trade Commission’s online complaint assistant. And I tried 
that a moment ago and it was not very successful. It says you can 
call your local police department, and then it says you can visit a 
site, the Federal Trade Commission, to learn more about identity 
theft. And the second choice is to call the Health Insurance Mar- 
ketplace Call Center, and it gives that number. So if you were the 
victim of personally identifiable information being fraudulently re- 
leased or obtained, who would you call first under that scenario? 

Mr. Chao. The listed call center number. The marketplace call 
center. 

Mr. Harper. And it 

Mr. Chao. If you are in a Federally Facilitated Marketplace. 
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Mr. Harper. OK, and it says, explain what happened and your 
information will he handled appropriately. How do you define han- 
dled appropriately? What is that? How do you get someone’s iden- 
tity back once it has been compromised or there has been an iden- 
tity theft? 

Mr. Chao. Well, I think there needs to be some analysis and col- 
lection of information to make sure what type of situation occurred, 
and then make a decision going forward there. 

Mr. Harper. Well, obviously, this is a critical matter, so some de- 
termination made. What is the time frame? How quickly can some- 
one’s life be put back together if this were to happen? 

Mr. Chao. I think it is situationally dependent, and I really 
can’t — I am not comfortable 

Mr. Harper. Sure. 

Mr. Chao [continuing]. Giving you an answer right off 

Mr. Harper. You had said earlier that steps were being taken 
to prevent unauthorized access to the site. What about those who 
may have authorized access but release it in an unauthorized man- 
ner, what protections or safeguards are put in there particularly for 
those that are the navigators, and the situation that there has been 
no background check, unless it was required in the State, how is 
that being handled with the use of navigators? 

Mr. Chao. I think the premise is that when we issue, for exam- 
ple, a grant to a navigator organization, or we sign a computer 
matching agreement with a State, that there are rules of behavior 
and certain, you know, kinds of requirements that are associated 
with signing that agreement or receiving that grant. 

Mr. Harper. Do you have a central reporting location of the 
navigators that are in violation or reported in violation? 

Mr. Chao. I have to check on that. 

Mr. Harper. My time has 

Mr. Murphy. Gentleman’s time has expired. 

Mr. Harper. You let us know. My time has expired. 

Mr. Murphy. Thank you. 

Mr. Lujan is recognized for 5 minutes. 

Mr. Lujan. Mr. Chairman, thank you so very much. 

Mr. Chao, you were just presented with a whole series of 
hypotheticals. Have any of those hypotheticals happened? 

Mr. Chao. No, not to our knowledge, no. 

Mr. Lujan. I appreciate that, and I would suggest, Mr. Chao, if 
someone was maliciously using information in a way that they 
were not allowed to use it, would that be a crime? 

Mr. Chao. Can you repeat that question again? 

Mr. Lujan. If someone hacked into the Web site, and was using 
information in a way that they weren’t allowed to use it, so — and 
anyway, wouldn’t that be considered a crime? 

Mr. Chao. Certainly, yes. 

Mr. Lujan. And I believe that we could fully prosecute those in- 
dividuals? 

Mr. Chao. Yes. 

Mr. Lujan. And I would hope that this committee would fully 
support and encourage the Department of Justice to go and fully 
prosecute anyone that is hacking this Web site. 
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Mr. Chairman, it wasn’t too long ago that there was a hearing 
that this committee had on Lifeline, and some of my Republican 
colleagues were encouraging members — citizens of the United 
States to go to visit Obamaphone.net to sign up for a Lifeline or 
to get information from the Web site as to the accuracy of what the 
program was about. An hour later, the Web site was taken down, 
and this committee, myself and Congresswoman Eshoo, asked the 
FTC to look into the matter, but they said it appears that in the 
fraudulent way that this data was being collected, that the Web 
site is now down. 

I think we as Members of Congress need to be careful with how 
we are purporting information out to the American people. We 
need to be careful about this. There is not, again, a member on this 
committee that doesn’t believe that we should get the Web site 
working, that we need to get to the facts of what is happening. And 
with that being said, Mr. Chao, I guess two things. Mr. Chairman, 
there is GAO report that was published on April 24 of 2012, enti- 
tled “Cybersecurity, Threats Impacting the Nation,” and I would 
like to ask unanimous consent to insert it into the record. 

Mr. Murphy. Sure. 

Mr. Lujan. The report, and I would invite everyone in the com- 
mittee to take a look at this. It was to the Homeland Security De- 
partment or committee, talking about the threats that our Nation 
is facing. The intelligence community. Homeland Security, the 
White House, members of Congress Web sites that have been 
hacked into. We need to do more in this area to make sure that 
we are keeping information secure. 

But with that being said, Mr. Chao, this has been talked about 
a bit, but on the front page of The Washington Post this morning, 
there was an article about a document that was leaked to the 
paper by the committee majority. The article describes an analysis 
conducted in 2013 by McKinsey and Company that identified po- 
tential risks in the development of Healthcare.gov. The report 
shadowed some of the problems that we now face today. 

Mr. Chao, did you see the report at the time it was published in 
March and April of 2013? 

Mr. Chao. No, I did not. 

M. Lujan. So is it fair to say that you are not the best person 
to comment on why the report was done, and how CMS and HHS 
responded to its findings? 

Mr. Chao. Yes. 

Mr. Lujan. Mr. Chairman, I raise this because it illustrates a 
number of problems with how this has been handled. In particular, 
the perception that is created when you withhold documents from 
the Democrats on the committee, and when you play gotcha games 
by leaking material to the press without context, it makes it appear 
that you are more interested in running a partisan investigation 
than in finding the facts, and I certainly hope that that is not the 
case, and believe that not to be true, but we need to work together 
to get to the bottom of this. 

So with that being said, Mr. Chao, what efforts is the Depart- 
ment of Health and Human Services undertaking to address the 
ongoing threats? 
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Mr. Chao. We listed as part of our mitigation strategy daily and 
weekly security testing and scans, which is something we always 
do, hut in this case we do it more frequently because we under- 
stand the sensitive nature of Healthcare.gov and the trust that — 
and confidence we have to obtain from people to come and use the 
site. 

Mr. Lujan. And how is the department coordinating with other 
Federal agencies who maintain Web sites that also gather personal 
information? 

Mr. Chao. I think we work with all of our key partners that are 
connected to the Hub to make sure that we function under what 
we call a harmonized privacy and security framework, and along 
with the States, have a process and a program in place to handle 
certain situations of which there are incidents that need to be man- 
aged, about potential data breaches. So we have a program, we 
have a policy, we have a set of operational procedures in place, 
working and coordinating across all these agencies. 

Mr. Lujan. And does that include, Mr. Chao, the intelligence 
community, the Department of Homeland Security? 

Mr. Chao. Yes. 

Mr. Lujan. Very good. 

So with that, Mr. Chairman, as I yield back my time, I just hope 
that it is clear, Mr. Chao, to you, to the President, that we are not 
happy with the rollout right now. We need to get this working. 
There are too many vulnerable Americans that need access to care, 
and we need to make sure that we can get them that coverage, in 
the same way, protect the information. But I think it is a big step 
forward that no longer will individuals have to report the kind of 
illnesses or accidents that they have had in their past, so that they 
can get care in the future. 

And with that, Mr. Chairman, I yield back. 

Mr. Murphy. Gentleman yields back. 

And without objection, the gentleman’s document will be admit- 
ted to the record. 

[The information follows:] 
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What GAO Found 

The nation faces an evolving array of cyber-based threats arising from a variety 
of sources. These threats can be intentional or unintentional. Unintentional 
threats can be caused by software upgrades or defective equipment that 
inadvertently disrupt systems, and intentional threats can be both targeted and 
untargeted attacks from a variety of threat sources. Sources of threats include 
criminal groups, hackers, terrorists, organization insiders, and foreign nations 
engaged in crime, politicai activism, or espionage and information warfare. These 
threat sources vary in terms of the capabilities of the actors, their willingness to 
act, and their motives, which can include monetary gain or political advantage, 
among others. Moreover, potential threat actors have a variety of attack 
techniques at their disposal, which can adversely affect computers, software, a 
network, an organization's operation, an industry, or the Internet itself. The 
nature of cyber attacks can vastly enhance their reach and impact due to the fact 
that attackers do not need to be physically close to their victims and can more 
easily remain anonymous, among other things. The magnitude of the threat is 
compounded by the ever-increasing sophistication of cyber attack techniques, 
such as attacks that may combine multiple techniques. Using these techniques, 
threat actors may target individuals, businesses, critical infrastructures, or 
government organizations. 

The threat posed by cyber attacks is heightened by vulnerabilities in federal 
systems and systems supporting critical infrastructure. Specifically, significant 
weaknesses in information security controls continue to threaten the 
confidentiality, integrity, and availability of critical information and information 
systems supporting the operations, assets, and personnel of federal government 
agencies. For example, 18 of 24 major federal agencies have reported 
inadequate information security controls for financial reporting for fiscal year 
2011, and inspectors general at 22 of these agencies identified information 
security as a major management challenge for their agency. Moreover, GAO, 
agency, and inspector general assessments of information security controls 
during fiscal year 201 1 revealed that most major agencies had weaknesses in 
most major categories of information system controls. In addition, GAO has 
identified vulnerabilities in systems that monitor and control sensitive processes 
and physical functions supporting the nation’s critical infrastructures. These and 
similar weaknesses can be exploited by threat actors, with potentially severe 
effects. 

The number of cybersecurity incidents reported by federal agencies continues to 
rise, and recent incidents illustrate that these pose serious risk. Over the past 6 
years, the number of incidents reported by federal agencies to the federal 
information security incident center has increased by nearly 680 percent. These 
incidents include unauthorized access to systems; improper use of computing 
resources; and the installation of malicious software, among others. Reported 
attacks and unintentional incidents involving federal, private, and infrastructure 
systems demonstrate that the impact of a serious attack could be significant, 
including loss of personal or sensitive information, disruption or destruction of 
critical infrastructure, and damage to national and economic security. 
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Chairman McCaul, Ranking Member Keating, and Members of the 
Subcommittee: 

Thank you for the opportunity to testify at today’s hearing on the cyber- 
based threats facing our nation. 

The Increasing dependency upon information technology (IT) systems 
and networked operations pervades nearly every aspect of our society. In 
particular, increasing computer interconnectivity— most notably growth in 
the use of the Internet — has revolutionized the way that our government, 
our nation, and much of the world communicate and conduct business. 
While bringing significant benefits, this dependency can also create 
vulnerabilities to cyber-based threats. Pervasive and sustained cyber 
attacks against the United States could have a potentially devastating 
impact on federal and nonfederal systems and operations. In January 
2012, the Director of National intelligence testified that such threats pose 
a critical national and economic security concern.’ These growing and 
evolving threats can potentially affect all segments of our society — 
individuals; private businesses: local, state, and federal governments; and 
other entities. Underscoring the importance of this issue, we have 
designated federal information security as a high-risk area since 1997 
and in 2003 expanded this area to include protecting computerized 
systems supporting our nation’s critical infrastructure.^ 

In my testimony today, I will describe (1) cyber threats facing the nation’s 
systems, (2) vulnerabilities present in federal systems and systems 
supporting critical infrastructure,® and (3) reported cyber incidents and 
their impacts. In preparing this statement in April 2012, we relied on our 
previous work in these areas. (Please see the related GAO products in 
appendix I.) These products contain detailed overviews of the scope and 
methodology we used. We also reviewed more recent agency, inspector 


’James R. Clapper, Director of National intelligence, Unclassified Statement for the 
Record on the Worldwide Threat Assessment of the US Intelligence Community for the 
Senate Select Cwnmittee on Intelligence (January 31. 2012). 

^See, most recently, GAO. High-Risk Series: An Update, GAO-1 1-278 (Washington, D.C.; 
February 2011). 

^Critical inft^structures are systems and assets, whether physical or virtual, so vital to our 
nation that their incapacity or destruction would have a debilitating impact on national 
security, economic well-being, public health or safety, or any combination of these. 
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general, and GAO assessments of security vulnerabilities at federal 
agencies and information on security incidents from the U.S. Computer 
Emergency Readiness Team (US-CERT), media reports, and other 
publicly available sources. The work on which this statement is based 
was conducted in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
audits to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. We 
believe that the evidence obtained provided a reasonable basis for our 
findings and conclusions based on our audit objectives. 


Background 


As computer technology has advanced, both government and private 
entities have become increasingly dependent on computerized 
information systems to carry out operations and to process, maintain, and 
report essential information. Public and private organizations rely on 
computer systems to transmit sensitive and proprietary information, 
develop and maintain intellectual capital, conduct operations, process 
business transactions, transfer funds, and deliver services. In addition, 
the Internet has grown increasingly important to American business and 
consumers, serving as a medium for hundreds of billions of dollars of 
commerce each year, as well as developing Into an extended information 
and communications infrastructure supporting vital services such as 
power distribution, health care, law enforcement, and national defense. 

Consequently, the security of these systems and networks Is essential to 
protecting national and economic security, public health and safety, and 
the flow of commerce. Conversely, ineffective information security 
controls can result in significant risks, including 

. loss or theft of resources, such as federal payments and collections: 

• inappropriate access to and disclosure, modification, or destruction of 
sensitive information, such as national security information, personal 
taxpayer information, or proprietary business information; 

• disruption of critical operations supporting critical infrastructure, 
national defense, or emergency services; 

• undermining of agency missions due to embarrassing incidents that 
erode the public’s confidence in government; and 

• use of computer resources for unauthorized purposes or to launch 
attacks on other computers systems. 
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The Nation Faces an 
Evolving Array of 
Cyber-Based Threats 


Cyber-based threats are evolving and growing and arise from a wide 
array of sources. These threats can be unintentional or intentional. 
Unintentional threats can be caused by software upgrades or defective 
equipment that inadvertently disrupt systems. Intentional threats include 
both targeted and untargeted attacks from a variety of sources, including 
criminal groups, hackers, disgruntled employees, foreign nations engaged 
in espionage and information warfare, and terrorists. These threat 
sources vary in terms of the capabilities of the actors, their willingness to 
act, and their motives, which can include monetary gain or political 
advantage, among others. Table 1 shows common sources of cyber 
threats. 


Table 1 : Sources of Cybersecurity Threats 

Threat source 

Description 

Bot-network operators 

Bot-net operators use a network, or bot-net, of ccHnpromised, remotely controlled systems to 
coordinate attad<s and to distribute phishing schemes, spam, and malware attacks. The services of 
these networks are somefimes made available on underground markets (e.g,, purchasing a denial- 
of-service attack or services to relay spam or phishing attacks). 

Criminal groups 

Criminal groups seek to attack systems for monetaiy gain. Specifically, organized criminal groups 
use spam, phishing, and spyware/malware to commit identity theft, online fraud, and computer 
extortion, international corporate spies and criminal organizations also pose a threat to the United 
States through their ability to conduct industrial espionage and large-scale monetary theft and to 
hire or develop hacker talent. 

Hackers 

Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, 
revenge, stalking, monetary gain, and political activism, among other reasons. While gaining 
unauthorized access once required a fair amount of skill or computer knowledge, hackers can now 
download attack scripts and protocols from the Internet and launch them against victim sites. Thus, 
while attack tools have become more sophisticated, they have also become easier to use. 

According to the Central Intelligence Agency, the large majority of hackers do not have the requisite 
expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide 
population of hackers poses a relatively high threat of an isolated or brief disruption causing serious 
damage. 

Insiders 

The disgruntled organization insider is a principal source of computer crime. Insiders may not need 
a great deal of knowledge about computer intrusions because their knowledge of a target system 
often allows them to gain unrestricted access to cause damage to the system or to steal system 
data. The insider threat includes contractors hired by the organization, as well as careless or pooily 
trained employees who may inadvertently introduce malware into systems, 

Nations 

Nations use cyber tools as part of their information-gathering and espionage activities. In addition, 
several nations are aggressively working to develop infonnation warfare doctrine, programs, and 
capabilities. Such capabilities enable a single entity to have a significant and serious impact by 
disrupting the supply, communications, and economic infrastructures that support military povirer— - 
impacts that could affect the daily lives of citizens across the country. In his January 201 2 
testimony, the Director of National Intelligence stated that, among state actors, China and Russia 
are of particular concern. 

Phishers 

Individuals or small groups execute phishing schemes in an attempt to steal identities or 
information for monetary gain. Phishers may also use spam and spyware or malware to accomplish 
their objectives. 
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Threat source 

Description 

Spammere 

Individuals or organizatic^s distribute unsolicited e-mail with hidden or false intermation in enter to 
sell products, conduct phistung schemes, distribute spyware or malware, or attack organizations 
(e.g., a dental of service). 

Spyware or maiware aulhors 

individuals or organizations vrite malicious intent carry out attacks against users by producing and 
distributing spyware and malware. Several destructive computer viruses and wonns ha\re harmed 
flies and hard drives, ^duding the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) 
Vires. Nimda, Code Red. Slammer, and Blaster. 

Terroriste 

Terrorists seek to destroy, incapacitate, or exploit critical Infrastructures in order to threaten national 
security, cause mass casualties, weaken the economy, and damage public morale and confidence. 
Ten’orists may use phishing schemes or spyvifare/maiware in order to generate ftinds or gatirer 
sensitive information. 


Source: GAO aneijrsie based on data from the Director of National Intelligenee, D^rtment of Jisliee, Centra tntelllsenca Agency, and 
the Software Engineering Institute’s CERTO CoonSneton Center. 


These sources of cyber threats make use of various techniques, or 
expioits, that may adversely affect computers, software, a network, an 
organization’s operation, an industry, or the Internet itself. Table 2 
provides descriptions of common types of cyber exploits. 

Table 2: Types of Cyber Exploits 

Type of exploit 

Description 

Cross-site scripting 

An attack that uses third-party web resources to run script within the victim’s web bro>A«er 
or scriptable application. This occurs when a browser visits a malicious website or dicks a 
malicious link. The most dangerous consequences occur when this method is used to 
exploit additional vulnerabilities that may permit an attacker to steal cookies (data 
exchanged between a web server and a browser), log key strokes, capture screen shots, 
discover and collect network information, and remotely access and control the victim’s 
machine. 

Denial-of-service 

An attack that prevents or impairs the authorized use of networks, systems, or 
applications by exhausting resources. 

Distributed deniai-of-service 

A variant of the denial-of-ser\rice attack that uses numerous hosts to perform tiie attack. 

Logic bombs 

A piece of programming code intentionally inserted into a software system that will cause 
a malicious function to occur when one or more specified conditions are met 

Phishing 

A digital form of soda! engineering that uses authentic-looking, but teke, e-mails to 
request information from users or direct them to a fake website that requests information. 

Passive wretapping 

The monitoring or recording of data, such as passwords transmitted in dear text, while 
they are being transmitted ovw a communications link. This is done without altering or 
affecting the data. 

Structured Query Language (SQL) An attack that involves the alteration of a database search in a web-based application, 

injection which can be used to c^tain unauthorized access to sensiti>^ information in a database. 

Trojan horse 

A computer program that appears to have a useful fonction, but also has a hidden and 
potentially malicious function that evades security mechanisms by. for example, 
masquerading as a usefol program that a user would likely execute. 


Page 4 


GAO-12-666T Cyber Threats 








54 




Type of exploit 

Description 

Virus 

A computer program that can copy itself and infect a computer \«ithout the permission or 
knowledge of tlw user. A virus might corrupt or delete data on a computer, use e-maii 
progr^s to spread iteeff to other ccxnputers, or even erase everything on a hard disk. 
Unlike a computer vrorm. a virus requires human involvement (usually unwitting) to 
propagate. 

War driving 

The method of driving through cities and neighborhoods with a wireless-equipped 
computer- sometimes with a powerful antenna-searching for unsecured wireless 
networks. 

Worm 

A self-replicating, seif-propagating, self-contained program that uses network mechanisms 
to spread itself. Unlike computer vimses, worms do not require human involvement to 
propagate. 

Zero-day exploit 

An exploit that takes advantage of a security vulnerability previously unknown to the 
general public. In many cases, the exploit code is written by the same person who 
discovered toe vulnerability. By writing an exploit for the previously unknown vulnerability, 
the attacker creates a potent toreat since toe compressed timeframe between public 
discoveries of both makes it difficult to defend against. 


Source: QAO analysis oioata from the Na&ortsi irtsmutt of Standards and Teehnoiogy, United States Computer Emergency Reattness 
Team, and irtdustry reports. 


The unique nature of cyber-based attacks can vastly enhance their reach 
and impact. For example, cyber attackers do not need to be physically 
close to their victims, technology allows attacks to easily cross state and 
national borders, attacks can be carried out at high speed and directed at 
a number of victims simultaneously, and cyber attackers can more easily 
remain anonymous. Moreover, the use of these and other techniques is 
becoming more sophisticated, with attackers using multiple or “blended” 
approaches that combine two or more techniques. Using these 
techniques, threat actors may target individuals, resulting in loss of 
privacy or identity theft; businesses, resulting in the compromise of 
proprietary information or intellectual capital; critical infrastructures, 
resulting in their disruption or destruction; or government agencies, 
resulting in the loss of sensitive information and damage to economic and 
national security. 
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Systems Supporting 
Federal Operations 
and Critical 
Infrastructure Are 
Vulnerable to Cyber 
Attacks 


Significant weaknesses in information security controls continue to 
threaten the confidentiality, integrity, and availability of critical information 
and information systems used to support the operations, assets, and 
personnel of federal agencies. For example, in their performance and 
accountability reports and annual financial reports for fiscal year 201 1 , 1 8 
of 24 major federal agencies'' indicated that inadequate information 
security controls were either material weaknesses or significant 
deficiencies® for financial reporting purposes. In addition, inspectors 
general at 22 of the major agencies identified information security or 
information system control as a major management challenge for their 
agency. 

Agency, inspectors general, and GAO assessments of information 
security controls during fiscal year 201 1 revealed that most major federal 
agencies had weaknesses in most of the five major categories of 
information system controls: (1) access controls, which ensure that only 
authorized individuals can read, alter, or delete data; (2) configuration 
management controls, which provide assurance that only authorized 
software programs are implemented; (3) segregation of duties, which 
reduces the risk that one individual can independently perform 
inappropriate actions without detection; (4) continuity of operations 
planning, which helps avoid significant disruptions in computer-dependent 
operations; and (5) agencywide information security programs, which 
provide a framework for ensuring that risks are understood and that 
effective controls are selected and implemented. Figure 1 shows the 


^The 24 major departments and agencies are the Departments of Agriculture, Commerce, 
Defense, Education, Energy, Health and Human Services, Homeland Security, Housing 
and Urban Develc^sment, the Interior, Justice, Labor, State, Transportation, the Treasury, 
and Veterans Affairs; the Enwronmentai Protection Agency, Genera! Serwoes 
Administration, National Aeronautics and Space Administration, National Science 
Foundation. Nuclear Regulatory Commission, Office of Personnel Management, Small 
Business Administration, Social Security Administration, and U.S. Agency for International 
Development. 

^A materia! weakrtess is a deficiency, or a combination of deficiencies, in internal control 
such that there is a reasonable possibility that a material misstatement of the entity's 
financiai statements will not be prevented, or detected and corrected on a timely basis. A 
significant deficiency is a deficiency, or a combination of deficiencies, in internal confrol 
that is less severe than a material weakness, yet important enough to merit attention by 
those charged with governance. A control deficiency exists when the design or operation 
of a control does not allow management or employees, in tiie normal course of performing 
their assigned fijnctions, to prevent, or detect and correct, misstatements on a timely 
basis. 
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number of agencies that had vuinerabilities in these five information 
security control categories. 


Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal 
Year 2011 
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Over the past several years, we and agency inspectors general have 
made hundreds of recommendations to resolve similar previously 
identified significant control deficiencies. We have also recommended 
that agencies fully implement comprehensive, agencywide information 
security programs, including by correcting weaknesses in specific areas 
of their programs. The effective implementation of these 
recommendations will strengthen the security posture at these agencies. 

In addition, securing the control systems that monitor and control 
sensitive processes and physical functions supporting many of our 
nation’s critical infrastructures is a national priority, and we have identified 
vulnerabilities in these systems. For example, in September 2007, we 
reported that critical infrastructure control systems faced increasing risks 
due to cyber threats, system vuinerabilities, and the serious potential 
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impact of possible attacks.® Specifically, we determined that critical 
infrastructure owners faced both technical and organizational challenges 
to securing control systems, such as limited processing capabilities and 
developing compelling business cases for investing In control systems 
security, among others. We further identified federal initiatives under way 
to help secure these control systems, but noted that more needed to be 
done to coordinate these efforts and address shortfalls. We made 
recommendations to the Department of Homeland Security to develop a 
strategy for coordinating control systems security efforts and enhance 
information sharing with relevant stakeholders. Since this report, the 
department formed the Industrial Control Systems Cyber Emergency 
Response Team to provide Industrial control system stakeholders with 
situational awareness and analytical support to effectively manage risk. In 
addition, it has taken several actions, such as developing a catalog of 
recommended security practices for control systems, developing a 
cybersecurity evaluation tool that allows asset owners to assess their 
control systems and overall security posture, and collaborating with 
others to promote control standards and system security. We have not 
evaluated these activities to assess their effectiveness in improving the 
security of control systems against cyber threats. 

In May 2008, we reported that the Tennessee Valley Authority's (TVA) 
corporate network contained security weaknesses that could lead to the 
disruption of control systems networks and devices connected to that 
network,^ We made 19 recommendations to improve the Implementation 
of information security program activities for the control systems 
governing TVA's critical infrastructures and 73 recommendations to 
address weaknesses in information security controls. TVA concurred with 
the recommendations and has taken steps to implement them. 

In addition to those present in federal systems and systems supporting 
critical infrastructure, vulnerabilities in mobile computing devices used by 
individuals or organizations may provide openings to cyber threats. For 
example, consumers and federal agencies are increasing their use of 
mobile devices to communicate and access services over the Internet. 


®GAO, Cntical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are 
Under Way, but Challenges Remain, GAOT)7-1036 (Washington, D.C,: Sept 10, 2007). 

^GAO, Information Security: TVA Reeds to Address Weaknesses in Control Systems and 
Networks, GAOTi8-52$ (Washington, D.C.: May 21, 2008). 
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The use of these devices offers many benefits including ease of sending 
and checking messages and remotely accessing information online; 
however, it can also introduce Information security risks if not properly 
protected. We have ongoing work to determine (1) what common security 
threats and vulnerabilities affect generally available cellphones, 
smartphones, and tablets; (2) what security features and practices have 
been Identified to mitigate the risks associated with these vulnerabilities; 
and (3) the extent to which government and private entities are 
addressing security vulnerabilities of mobile devices. 


Number of 
Cybersecurity 
Incidents Reported by 
Federal Agencies 
Continues to Rise, 
and Recent Incidents 
Illustrate Serious Risk 


Federal agencies have reported increasing numbers of security incidents 
that placed sensitive information at risk, with potentially serious impacts 
on federal operations, assets, and people. When incidents occur, 
agencies are to notify the federal information security incident center— 
US-CERT. Over the past 6 years, the number of incidents reported by 
federal agencies to US-CERT has increased from 5,503 incidents in fiscal 
year 2006 to 42,887 incidents in fiscal year 201 1 , an increase of nearly 
680 percent (see fig. 2).® 


®According to US-CERT. the growth in the number of incidents is attributaWe, in part, to 
agencies improving detection and reporting of security incidents on ttieir respecti\te 
networt<s. 
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Figure 2: incldente Reported to US-CERT: Fiscal Years 2006- 
2011 

Numt}w of ifwMants r»)>ort»d 
48,000 
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Sowru: GAO «na)y*t« of USCERT Oat* ^ fitcal y»sr» 2000-2011 

Agencies reported the types of incidents and events based on US-CERT- 
defined categories. As indicated in figure 3, the two most prevalent types 
of incidents and events repotted to US-CERT during fiscal year 201 1 
were unconfirmed incidents under investigation and malicious code. 
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Figure 3: Types of Incidents Reported to US-CERT in Fiscal Year 2011 by 
Category 
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Reported attacks and unintentional incidents involving federal, private, 
and critical infrastructure systems demonstrate that the impact of a 
serious attack could be significant. These agencies and organizations 
have experienced a wide range of incidents involving data loss or theft, 
computer intrusions, and privacy breaches, underscoring the need for 
improved security practices. The following examples from news media 
and other public sources illustrate that a broad array of information and 
assets remain at risk. 


• In April 2012, hackers breached a server at the Utah Department of 
Health to access thousands of Medicaid records. Included in the 
breach were Medicaid recipients and clients of the Children’s Health 
Insurance Plan. About 280,000 people bad their Social Security 
numbers exposed. In addition, another 350,000 people listed in the 
eligibility inquiries may have had other sensitive data stolen, including 
names, birth dates, and addresses. 

• In March 2012, it was reported that a security breach at Global 
Payments, a firm that processed payments for Visa and Mastercard, 
could compromise the credit- and debit-card information of millions of 
Americans. Subsequent to the reported breach, the company’s stock 
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feii more than 9 percent before trading in its stock was halted. Visa 
aiso removed the company from its iist of approved processors. 

• In February 201 2, the inspector generai at the National Aeronautics 
and Space Administration testified that an unencrypted notebook 
computer had been stolen from the agency in March 2011. The theft 
resulted in the loss of the algorithms used to command and control 
the International Space Station. 

• In March 2012, a news wire service reported that the senior 
commander of the North Atlantic Treaty Organization (NATO) had 
been the target of repeated cyber attacks using the social networking 
website Facebook that were believed to have originated in China. 
According to the article, hackers repeatedly tried to dupe those close 
to the commander by setting up fake Facebook accounts in his name 
in the hope that his acquaintances would make contact and answer 
private messages, potentially divulging sensitive information about the 
commander or themselves. 

• in March 2012, it was reported that Blue Cross Blue Shield of 
Tennessee paid out a settlement of $1 .5 million to the U.S, 

Department of Health and Human Services arising from potential 
violations stemming from the theft of 57 unencrypted computer hard 
drives that contained protected health information of over 1 million 
individuals. 

. In January 201 2, the Department of Commerce discovered that the 
computer network of the department’s Economic Development 
Administration (EDA) was hit with a virus, forcing EDA to disable e- 
mail services and Internet access pending investigation into the cause 
and scope of the problem, which persisted for over 12 weeks. 

• In June 201 1 , a major bank reported that hackers had broken into its 
systems and gained access to the personal information of hundreds of 
thousands of customers. Through the bank's online banking system, 
the attackers were able to view certain private customer information. 

• Citi reissued over 200,000 cards after a May 201 1 website breach. 
About 360,000 of its approximately 23.5 million North American card 
accounts were affected, resulting in the potential for misuse of 
cardholder personal information. 

. In April 2011, Sony disclosed that it suffered a massive breach in its 
video game online network that led to the theft of personal 
information, including the names, addresses, and possibly credit card 
data belonging to 77 million user accounts. 

« In February 201 1 , media reports stated that computer hackers had 

broken into and stolen proprietary information worth millions of dollars 
from the networks of six U.S. and European energy companies. 

. In July 2010, a sophisticated computer attack, known as Stuxnet, was 
discovered. It targeted control systems used to operate industrial 
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processes in the energy, nuclear, and other critical sectors, reportedly 
causing physical damage. It is designed to exploit a combination of 
vulnerabilities to gain access to its target and modify code to change 
the process, 

• A retailer reported in May 201 1 that it had suffered a breach of its 
customers’ card data. The company discovered tampering with the 
personal identification number (PIN) pads at its checkout lanes in 
stores across 20 states. 

. in August 2006, two circulation pumps at Unit 3 of the Browns Ferry, 
Alabama, nuclear power plant failed, forcing the unit to be shut down 
manually. The failure of the pumps was traced to excessive traffic on 
the control system network, possibly caused by the failure of another 
control system device. 

These incidents illustrate the serious impact that cyber threats can have 
on federal agency operations, the operations of critical infrastructures, 
and the security of sensitive personal and financial information. 


In summary, the cyber-threats facing the nation are evolving and growing, 
with a wide array of potential threat actors having access to increasingly 
sophisticated techniques for exploiting system vulnerabilities. The danger 
posed by these threats is heightened by the weaknesses that continue to 
exist in federal information systems and systems supporting critical 
infrastructures. Ensuring the security of these systems is critical to 
avoiding potentially devastating impacts, including loss, disclosure, or 
modification of personal or sensitive information; disruption or destruction 
of critical infrastructure; and damage to our national and economic 
security. 

Chairman McCaul, Ranking Member Keating, and Members of the 
Subcommittee, this concludes my statement. I would be happy to answer 
any questions you have at this time. 
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Mr. Murphy. The Chair now recognizes the gentleman from Col- 
orado, Mr. Gardner, for 5 minutes. 

Mr. Gardner. Thank you, Mr. Chairman, and thank you, Mr. 
Chao, for your time before the committee today. 

Last week, the President met with several representatives of the 
insurance industry to discuss solutions that may be possible in 
light of the Healthcare.gov debacle. Have you had any conversa- 
tions about changes you can make to Healthcare.gov to assist the 
insurance industry? 

Mr. Chao. I think part of the strategy — I haven’t spoken to the 
issues myself or been part of those meetings, but I think as part 
of the strategy under Jeff Zients is to improve the experience of 
consumers, but that involves, you know, key third parties that are 
also key to this equation of getting around those agents and bro- 
kers, and working with issuers to fix, you know, certain aspects of 
the systems to make it work better. 

Mr. Gardner. So have you had any discussions then about pro- 
viding insurance companies with the ability to directly enroll, or 
anybody in your agency department? 

Mr. Chao. We had designed something called direct enrollment 
into Healthcare.gov, or part of that FFM system architecture to ac- 
commodate that. 

Mr. Gardner. And so that is ready — that feature has been 
turned on or it has not been turned on? 

Mr. Chao. It was not working well initially, like many other 
things, but we have been performing fixes and optimizing it, and 
working with issuers to get direct enrollment up. 

Mr. Gardner. So have you had any discussions about giving in- 
surers direct access to information on eligibility for subsidies? 

Mr. Chao. Only at — in terms of the result. There is a series 
of 

Mr. Gardner. That is a 

Mr. Chao [continuing]. Security and of handoffs. 

Mr. Gardner [continuing]. Yes 

Mr. Chao. Right. 

Mr. Gardner. That is a yes then? 

Mr. Chao. Yes. 

Mr. Gardner. OK. Thank you for that. 

Do you — going back to the question then about the feature on the 
Web site, will that happen in the future then to that question, dis- 
cussions about giving insurers direct access to information on eligi- 
bility for subsidies? Do you believe that will happen in the future? 

Mr. Chao. It is not really direct access, it is more of a hand-off, 
a secure hand-off in which they have collected enough information 
about the applicant and their, you know, or an agent and broker, 
and this person has given authorization for a consent to work with 
them as a third party. 

Mr. Gardner. So that is a yes then again as well? 

Mr. Chao. It is not access direct to eligibility data, it is a more 
involved process that protects the person’s information. 

Mr. Gardner. But the insurance company will be getting the 
subsidy access? 

Mr. Chao. They don’t get to calculate it. We — that is a market- 
place — 
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Mr. Gardner. But they will have information on the eligibility 
for the subsidies directly? 

Mr. Chao. Only as a result of the marketplace handling that 
data, not touching that eligibility data themselves. 

Mr. Gardner. The committee has been reviewing materials that 
indicates that some parts of Healthcare.gov were not completed be- 
fore the launch, as we have discussed here. What portion or per- 
centage of the Web site remained to be created when you launched 
on October 1? 

Mr. Chao. I don’t have an exact percentage. I think some of pre- 
vious conversations when people ask about whether things were 

complete, I look at it in terms of overall marketplace systems 

Mr. Gardner. So you have never talked about what is complete, 
what is not complete, whether it is — how much to go? 

Mr. Chao. I think it was a set of priority functions that needed 
to be in place. Like, for example, you had to authenticate an indi- 
vidual. That is a key function that had to be done. 

Mr. Gardner. Well, how much do we have to build today still? 
I mean what do we need to build, 50 percent, 40 percent, 30 per- 
cent? 

Mr. Chao. I think it is, just an approximation, we are probably 
sitting somewhere between 60 and 70 percent, because we still 
have to build the system 

Mr. Gardner. But 60 or 70 percent that needs to be built still? 
Mr. Chao. Because we still have to build the payment systems 
to make payments to issuers in January. 

Mr. Gardner. So let me get this correct, 60 to 70 percent of 
Healthcare.gov still needs to be built? 

Mr. Chao. It is not really Healthcare.gov; it is the Federally Fa- 
cilitated Marketplace 

Mr. Gardner. But the entire system that the American people 

are being required to rely upon 

Mr. Chao. That part is there. 

Mr. Gardner [continuing]. Sixty to 70 percent 

Mr. Chao. Healthcare.gov, the online application, verification, 

determination 

Mr. Gardner. That is 

Mr. Chao [continuing]. Plan compare, getting enrolled, gener- 
ating the enrollment transaction, that is 100 percent there. What 
I am talking about is 

Mr. Gardner. But the entire system is 60 to 70 percent away 
from being complete? 

Mr. Chao. Yes, there is the back office systems, the accounting 

systems, the 

Mr. Gardner. Thank 

Mr. Chao [continuing]. Payment systems 

Mr. Gardner. Thank you for that. 

Mr. Chao [continuing]. They still need to be 

Mr. Gardner. And how — of those 60 to 70 percent of systems 
that are still being built, how are they going to be tested? 

Mr. Chao. You mean the remaining 

Mr. Gardner. Yes. 

Mr. Chao [continuing]. Thirty to 40 percent? How are they going 
to be tested? 
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Mr. Gardner. Yes. 

Mr. Chao. In the same exact manner we tested everything else. 

Mr. Gardner. Is it difficult to review the new parts of the Weh 
site while it is operating? 

Mr. Chao. It won’t affect the front end — the front part 

Mr. Gardner. But that is pretty difficult, isn’t it? 

Mr. Chao. Excuse me? 

Mr. Gardner. It is pretty difficult to review it while it is in oper- 
ation, correct? 

Mr. Chao. No, it doesn’t involve the front part. The 

Mr. Gardner. Right, but where it is operating within 

Mr. Chao [continuing]. Eligibility — when we are trying to cal- 
culate a payment, derive a payment, do data matches on the back 
end, that doesn’t affect the Healthcare.gov operations. 

Mr. Gardner. How long will you have to test those parts that 
you are building? 

Mr. Chao. They are an ongoing basis. Depends on their build 
schedule. 

Mr. Gardner. So is it appropriate, given the performance of 
Healthcare.gov where we are at right now, to launch any new ap- 
plications or features without testing them heavily before they go 
live? 

Mr. Chao. We are testing. 

Mr. Gardner. Mr. Chairman, I have several other questions and 
will follow up with you, but thank you for your time. 

Mr. Murphy. Thank you. 

Now recognize Mr. Welch for 5 minutes. 

Mr. Welch. Thank you very much. Thank you for the hearing. 

There is a mutual desire to get this thing to work, and there are 
really two models that we can use to deal with the failed rollout. 
One is to fix it, and the other is to use it as fodder to re-litigate 
the battle about whether health care is the law of the land. And 
my hope is that we are past that. There is an absolute urgency to 
make things work, and I know, Mr. Chao, that is your job, and I 
just want to put this into context. We had a big battle in this Con- 
gress, I was not here, over the passage of Medicare Part D. It was 
a largely partisan vote. The Republicans, under George Bush, were 
for it, most of the Democrats were against it, but it passed in a 
very close, tense vote. And my understanding is that as it then 
went into the implementation phase which required a computer 
program and a Web site, there were lots of significant difficulties 
with that program, and there were concerns about having it work. 

And I just want to ask you a little bit about that history, so that 
we have a context for the challenges we have today, not at all as 
an excuse because there is real unity about needing to get this 
fixed, but are the actions we take about getting it fixed or about 
trying to derail and scuttle the overall healthcare program. Amer- 
ica is going to have to judge. 

But can you give us a sense what was going on inside the Agency 
when you were preparing the Medicare Part D Web site in 2005, 
and were there concerns and issues that needed to be addressed 
then? 

Mr. Chao. The biggest and most prominent example that I can 
recall was the concern around auto-assignment and auto-enrolling 
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Medicare — Medicaid full benefit dual eligibles to receive a Part D 
prescription drug benefit, and switching them over as of January 
1, and that we had sent these enrollment files out to the plans — 
the health plans or Part D sponsors, around November, and in De- 
cember it was some realization, you know, last-minute realization 
that pharmacists and pharmacies were — who were on the frontline 
of helping these beneficiaries, required, you know, some access to 
information to help them navigate this new change. So as an exam- 
ple, we scrambled and we developed a method for pharmacies to ac- 
tually get access through authorizations to Medicare enrollment 
data for the dual eligibles that were enrolled so that, at point of 
sale, they can at least do things such as, you know, three day 
fills 

Mr. Welch. Right. 

Mr. Chao [continuing]. Just to figure out what plan they might 
be in. And, you know, that is just an example. I recall that was a 
mass scramble, time crunch, had to get it in place, lots of, you 
know, working around the clock, lots of urgency, pushing many, 
many people, not just on the contractor and the staff side, but 
working with the prescription drug industry as a whole, including 
pharmacists, to make this happen. 

Mr. Welch. All right, and those problems continued even after 
the January 1 rollout date, my understanding. 

Mr. Chao. Correct, because it is not perfected. It is — it is not so 
much a technical issue, when you introduce a new business proc- 
ess, for example, in a procedure, you know, in an administrative 
aspect of health care, it takes a while for people to actually under- 
stand how that works, you know, as compared to learning the data 
system that is involved to support that business process. So it is 
more than just a technical issue. 

Mr. Welch. OK, and is it your view that, as we ultimately suc- 
ceeded with Part D, we can ultimately succeed in terms of the tech- 
nical Web site issues with Healthcare.gov? 

Mr. Chao. Certainly. I think it comes with being focused and 
driven to get at the root of the problem and to fix the systems, be- 
cause on the technical issue side, it is solvable, very solvable, and 
we have shown that it has made improvements. 

Mr. Welch. OK, thank you very much. 

I yield back. 

Mr. Murphy. Gentleman yields back. 

Now recognize for 5 minutes the gentleman from Virginia, Mr. 
Griffith. 

Mr. Griffith. Thank you, Mr. Chairman. 

Now, speaking of Medicare Part D, no one was required by law 
or force of penalty to subscribe to that, isn’t that correct? 

Mr. Chao. No, but we did auto-assign, auto-enroll Medicare — 
Medicaid dual eligibles into Medicare Part D. 

Mr. Griffith. But it is a different animal than what we are deal- 
ing with now because a lot of Americans are being told they can’t 
have their insurance so they are going to have to sign up through 
the Exchanges. So I do appreciate that, but there is a difference. 

You know, one of the things that when you get time today to look 
at the report, and I think it is a symptom of the problems that this 
Web site has had, is that you were not included in the briefings 
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on the report that has come to light in the last 24 hours, but when 
you get a chance to read that, one of the things you will see is they 
thought there ought to be one person overseeing all of the different 
parts. And listening to the vendors who previously testified before 
this committee, it looked like they were each building their own 
part and then, in the last month, they had to squeeze it all to- 
gether in the last two weeks, things were changing. 

Another part of that report shows us that on a timeline, you real- 
ly want to define your policy requirements prior to finishing the de- 
sign and starting the build. Wouldn’t you agree with that? 

Mr. Chao. That is the logical thing to do. 

Mr. Griffith. It is the logical thing to do, but in reality, we have 
heard testimony in this committee that they were changing policy, 
we know the big change on July the 2nd when all of a sudden the 
employer mandate was allegedly delayed — the President signed an 
executive order, I am not sure it has legal authority, but he did 
that, delayed that employer mandate. Further, we know from testi- 
mony that there were changes being made as close to the launch 
as 2 weeks before. So based on that, it would be the logical conclu- 
sion that you are going to have significant problems, wouldn’t it? 

Mr. Chao. With the luxury of hindsight, I can see that, you 
know, there are contributors to the way the system performed 
when it was unveiled, but that is not 

Mr. Griffith. Well, if you 

Mr. Chao. But that is not, you know, I need to focus on fixing 
this thing. 

Mr. Griffith. And I know that is your focus is to fix it now, but 
also when you take a look at it, when you are still defining your 
policy requirements as late as two weeks prior to launch, it is very 
difficult to design and then to build and then to test a system and 
have it work, whether it is the security component or the perform- 
ance component. It would be logical to do it in the proper order. 
When you do the illogical, you are liable to have problems. And I 
know you would agree with that, if you were free to answer hon- 
estly. And I would say to you that I also noticed that no one person 
was ever appointed to head this up while you were in charge of 
part of it, and you are in charge of making part of it work. It looks 
like there are at least six different representatives from different 
agencies that had a hand in overseeing what was going on, and no 
one had control over the others, isn’t that correct? 

Mr. Chao. I think it was a governance committee that was 
formed. 

Mr. Griffith. A governance committee. And — isn’t that inter- 
esting. And sometimes when you are trying to launch a big project 
like this though, you have to have one general in charge of the op- 
eration. Wouldn’t that be logical? 

Mr. Chao. I would say that for the technical pieces, you know, 
I was responsible for making sure that the technical pieces 
were 

Mr. Griffith. All right. 

Mr. Chao [continuing]. Organized. 

Mr. Griffith. And last month, this committee uncovered a Sep- 
tember 27 memorandum indicating that Healthcare.gov launched 
without a full security control assessment. Administrator Tavenner 
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had to attest that she was aware that the launch carried security 
risks. Can you tell us what those risks are specifically? 

Mr. Chao. First of all, I think the incomplete testing — it was 
fully security tested through 3 rounds of testing so that when we — 
when Marilyn Tavenner signed the authority to operate on Sep- 
tember 27, it had no high findings and had gone through the ap- 
propriate security tests. 

Mr. Griffith. So what she said was not accurate, that it had a — 
did not have a full security control assessment, she was mistaken 
when she testified in front of us on that? 

Mr. Chao. I think there is a part of that sentence that might 
be — it needs clarification. I think what we were trying to say was 
that the security control assessment was not tested for a full entire 
system of which we were still — remember, I — we are still building 
financial management aspects of it. I think it was just an acknowl- 
edgement that the — 100 percent of the system was not complete at 
that time. 

Mr. Griffith. OK, and it is still not complete today, and the peo- 
ple of America want to know, you know, what is the security going 
to be 

Mr. Chao. Well 

Mr. Griffith [continuing]. If it is not completed on January 1. 

Mr. Chao. The October 1 pieces that were necessary, such as en- 
suring security privacy for those functions that I mentioned, were 
tested. 

Mr. Griffith. OK, and I appreciate that, but what can we expect 
on January 1? 

I apologize, I yield back. 

Mr. Murphy. Thank you. And by the way, our prayers are with 
the family of State Senator Creigh in Virginia who is, I guess, in 
critical condition. 

Mr. Griffith. If I might 

Mr. Murphy. Right. 

Mr. Griffith [continuing]. Take a — since you bring it up. If I 
might take a moment of personal privilege. I do appreciate your 
prayers. Creigh and I were in opposite parties, but just like on this 
committee, you form friendships. And he served with me in that 
Virginia House of Delegates before he went on to the Senate and 
went on to run for other offices. But he still is a sitting Senator, 
and it obviously has shaken everybody in Virginia. And he is a 
good man and our prayers are with him, and I encourage every- 
body to say a prayer for Senator Deeds and his family. 

Mr. Murphy. I thank the gentleman. 

Now turning to Mr. Tonko for 5 minutes. 

Mr. Tonko. Thank you, Mr. Chair. 

I would like to continue on that recent questioning of the docu- 
ment that my Republican colleagues have released. 

Mr. Chao, this document was signed, I believe, on September 27, 
and it is an ATO, an authority to operate, memorandum to operate 
the Federally Facilitated Marketplace for 6 months, and implement 
a security mitigation plan. 

Mr. Chao. Correct. 

Mr. Tonko. Can you tell us, are ATO’s commonly used in Fed- 
eral data systems? 
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Mr. Chao. Yes. It is the, in essence, the last official sign-off to 
authorize a Federal system to go into operations. 

Mr. Tonko. Thank you. And can you tell us why Administrator 
Tavenner signed this ATO rather than, well, perhaps other officials 
that might report to the administrator? 

Mr. Chao. I think the span of the stakeholders that were in- 
volved across the Agency has — we had not had a system that had 
this unprecedented involvement of so many different components, 
so that the recommendation by our chief information officer was to 
make a recommendation for the administrator to actually sign off 
on this, because she runs the entire agency. 

Mr. Tonko. And the fact that she signed it is good news? It is 
an indication, I would believe, that officials at the highest level of 
CMS were briefed on and taking responsibility for site security? 

Mr. Chao. Correct, yes. 

Mr. Tonko. Now, as I understand it, this document describes se- 
curity testing for the Healthcare.gov Web site. It says that security 
testing of the marketplace was ongoing since inception and into 
September 2013. In fact, it says that, and I quote, “throughout the 
3 rounds of security control assessment testing, all of the security 
controls have been tested on different versions of this system.” Is 
that correct? 

Mr. Chao. Correct. 

Mr. Tonko. But the document goes on to say that because of sys- 
tem readiness, a complete security assessment of all the security 
controls in one complete version of the system was not performed. 
It says that this lack of testing, and I quote, “exposed a level of un- 
certainty that could be deemed as a high risk.” 

Mr. Chao. I didn’t actually — I had recommended as part of that 
decision memo and I think at that time, as I mentioned earlier, you 
know, it is semantics, you know, not 100 percent of the system is 
built so you can’t really consciously say you have it all available 
in one place to fully test, because not everything was needed for 
October 1. Only essential pieces involving Healthcare.gov were 
tested for security. 

Mr. Tonko. So the document then indicated that CMS postponed 
a final security assessment screening, right, and the — in its place, 
CMS did put in place a number of mitigation measures. And it con- 
cluded that these measures would mitigate the security risks. 

I want to take a moment to ask you about the September 27 
ATO, and how the risks identified are being addressed. Can you de- 
scribe their recommendations in that September 27 memo? 

Mr. Chao. You mean in terms of mitigations? 

Mr. Tonko. Yes. 

Mr. Chao. OK, so on a daily basis, we run antivirus scans every 
3 minutes, malware scans every 3 minutes, data full monitoring is 
a continuous effort, threat protection analysis against known bad 
IP’s or hackers, I mentioned that in my opening remarks that it is 
continuous. On a weekly basis, we monitor operating system com- 
pliance, infrastructure system compliance, we conduct penetration 
testing, authenticated and unauthenticated, by marketplace secu- 
rity teams. We have a 24 by 7 security operations team. We con- 
duct additional penetration testing, authenticated and 
unauthenticated, by another group of security professionals in CMS 
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that report under our chief of information security officer. We also 
conduct application software assurance testing, which is occurring 
biweekly. And on a monthly basis, we produce a plan of actions and 
milestones that keeps track and reports on any discovered weak- 
nesses during all of this monitoring. 

Mr. Tonko. So CMS is taking action that was recommended in 
the ATO? 

Mr. Chao. Correct. 

Mr. Tonko. And do you have confidence in these and other meas- 
ures you are taking to protect the security of Americans’ personal 
information? 

Mr. Chao. I have high confidence. 

Mr. Tonko. OK. As I understand it here, the remedial actions 
and the ongoing security testing are protecting the security of the 
Web site. 

Mr. Chao. Yes. 

Mr. Tonko. And so perhaps the message coming from my Repub- 
lican colleagues is that they do not want the Web site to work, and 
that they want to scare people from going on the Web site, when, 
in fact, we are hearing that security has been provided for. 

Mr. Chao. I think we have gone over and above, because we are 
very sensitive and we appreciate the nervousness around this new 
program with peoples’ information. 

Mr. Tonko. Well, we appreciate you building the security of the 
Web site, and responding to the actions recommended in the ATO 
memo. 

Thank you so much. I yield back. 

Mr. Murphy. Thank you. Gentleman’s time has expired. 

Now recognize the gentleman from Ohio, Mr. Johnson, for 5 min- 
utes. 

Mr. Johnson. Thank you, Mr. Chairman. 

Mr. Chao, I spent 30 years in information technology as — I have 
been the chief information officer of publicly traded companies, as 
well as the director of the CIO staff at U.S. Special Operations 
Command, and I know the pressures that delivering on a system 
of this complexity, I know the pressures that are there. 

I assume that you and I have a common goal here today, and 
that is to make sure that the American people hear the truth. Is 
that an accurate statement? 

Mr. Chao. That is correct. 

Mr. Johnson. OK. Given that then, would it be OK if you and 
I have an understanding, because this is two IT guys talking to one 
another. If I ask you a question that you don’t understand, would 
you ask me for clarification so that we can get to the bottom of it, 
because we want to dig down in here into some things that are per- 
tinent? 

Mr. Chao. Yes, sir. 

Mr. Johnson. OK, great. You know, under FISMA, agencies op- 
erating IT systems are required to establish security baselines, in- 
corporate them into applications and networks, and test them to 
see that they are incorporated correctly. The use and review of this 
testing plan is typically known as a security control assessment. 
Several of the security control assessments for Healthcare.gov were 
either not completed or otherwise ignored. 
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So are you familiar with the four security control assessments 
that were completed on the various aspects of the Federally Facili- 
tated Marketplaces? 

Mr. Chao. Not in intricate detail, but I think I — going back to 
what you said about ignored or missed, I think the most important 
thing to remember is that on September 

Mr. Johnson. Are you familiar with those security control as- 
sessments? 

Mr. Chao. I 

Mr. Johnson. Have you seen or read them? 

Mr. Chao. I have read the most important one, that is the 
one 

Mr. Johnson. Have you read all four of them? 

Mr. Chao. No, not all four. 

Mr. Johnson. OK, could you turn to tab 4 of the document bind- 
er that you have in front of you? This is the security control assess- 
ment completed on October 11, 2013. Are you familiar with the 
findings of this security control assessment? 

Mr. Chao. Yes. 

Mr. Johnson. OK. You testified a little earlier that it was your 
opinion, based on what you knew at the time, that the security con- 
trol assessments — that security had been adequately addressed 
when Administrator Tavenner signed the document authorizing the 
operation of the Web site. Is that correct? 

Mr. Chao. Yes. 

Mr. Johnson. But yet you just testified that you were not aware 
and you didn’t read the security control assessment, so how can 
you make that assertion that security had been adequately ad- 
dressed when you hadn’t even read the control assessments your- 
self? 

Mr. Chao. I am thinking that there might be some mismatch in 
versions here. Yours says final report October 11 for Health Insur- 
ance Exchange August through September 2013, SCA report. I 
have the Federally Facilitated Marketplace decision security 
part 

Mr. Johnson. Well, I am talking about the one in your tab there. 

Voice. Excuse me, can we ask the witness to speak up a little 
bit? I am having difficulty hearing him. 

Mr. Chao. I am sorry. 

Mr. Johnson. But I have got to move on because I don’t have 
time to look through the binder. 

Who develops the scope of a security control assessment before 
the contractor performs it? 

Mr. Chao. We have independent contractors that design our SCA 
testing. 

Mr. Johnson. Do you need an application like the Data Services 
Hub or the Web site to be complete in order to test it for purposes 
of a security control assessment? 

Mr. Chao. I think that depends on, you know, we don’t like test- 
ing security 

Mr. Johnson. Well, I can assure you that we don’t. 

Mr. Chao. The — in terms of using live data, you know. So prior 
to going to production, we tend to conduct security 



77 


Mr. Johnson. Well, let me ask you a question. Let us put up a 
slide. Are you familiar with the term sequel injection? 

Mr. Chao. Um-hum. 

Mr. Johnson. OK. You know, sequel injection is a process that 
hackers use to gain access to sequel databases, relational data- 
bases, through a sequel. This is a screenshot directly off of 
Healthcare.gov that you see, if you put a semicolon in the search 
box, you get all of those different breakdowns of sequel injection. 

Have — can you give me any idea how vigorous the testing was 
around sequel injection, and are you aware that potential hackers 
have the capability to go in through sequel injection and manipu- 
late these strings? 

Mr. Chao. I can’t speak to the exact — that situation. I think 
some of the folks that are coming up behind me in the other panel 
might be able to specifically address 

Mr. Johnson. I can assure you, Mr. Chairman, that I still have 
very serious concerns about the security aspects of this system. 

And with that, I yield back. 

Mr. Murphy. Thank you. Gentleman’s time has expired. 

Now recognize Ms. Schakowsky for 5 minutes. 

Ms. Schakowsky. I want to also focus on this particular system 
that the contractor, MITRE — I am here, Mr. Chao. Yes, OK. 

Mr. Chao. Sorry. 

Ms. Schakowsky. We have heard this morning, we just heard, 
about the risks that the contract — contractor, MITRE, identified 
when it performed security control assessments for different compo- 
nents of Healthcare.gov. And at first glance, they can seem alarm- 
ing, but my understanding is that all of these issues were miti- 
gated for the functions on the Web site that launched on October 
1. It is important to understand the general point of security test- 
ing, to identify any potential issues so they can be addressed before 
they became — become real problems. Asking MITRE to perform 
these assessments gives CMS and the contractors the opportunity 
to identify and resolve any security vulnerabilities before anyone’s 
personal information could be put at risk. 

So, Mr. Chao, does that sound to you like an accurate descrip- 
tion? Do the security control assessments involve an iterative proc- 
ess where problems are identified and then mitigated? 

Mr. Chao. Yes, that is correctly characterized. 

Ms. Schakowsky. So, Mr. Chao, I want to walk through some of 
these key security assessments to determine whether the high 
risks that MITRE identified have, in fact, been addressed. 

In January and February of 2013, MITRE performed a security 
control assessment of EIDM, the account creation function on 
Healthcare.gov. According to the final report, MITRE identified 
several high-risk findings. 

So, Mr. Chao, were these high-risk findings resolved and miti- 
gated before the October 1 start of open enrollment in the Federal 
Marketplace? 

Mr. Chao. Yes, they were. 

Ms. Schakowsky. And the fact is that they were noted in the — 
that fact is noted in the MITRE report. 

OK, so MITRE also performed a security control assessment of 
the Data Services Hub in August 2013, and again identified several 



78 


high-risk findings. Were these findings resolved and also mitigated 
before the October 1 launch? 

Mr. Chao. Yes, and the Hub received authority to operate in Au- 
gust. 

Ms. ScHAKOWSKY. Yes, and the fact is that was — and that fact 
was noted in the report. 

I also want to discuss the security control assessment that 
MITRE performed over August and September 2013 for the Health 
Insurance Exchange. Mr. Chao, were all high risks identified in 
this assessment mitigated before October 1? 

Mr. Chao. Yes. 

Ms. SCHAKOWSKY. I thank you. And what your answers confirm 
is that the system worked. MITRE identified potentially high 
risks — high security risks, and CMS made sure that they were 
mitigated before they would become major problems. 

The MITRE reports do not show a flawed system, they show that 
CMS conducted security control assessments to identify problems, 
and then fixed those problems. And I hope that my Republican col- 
leagues will keep these findings in mind when they talk about the 
security of Healthcare.gov. We don’t want to alarm the public about 
security risks that have already been addressed by CMS and its 
contractors. It just seems to me that identifying risks that were 
named, it is important also to note that they were all fixed before 
the launch on October 1. And I thank you very much for your testi- 
mony. 

I yield back. 

Mr. Chao. Thank you. 

Mr. Murphy. Gentlelady yields back. 

And now I recognize the gentlewoman from North Carolina, Mrs. 
Ellmers, for 5 minutes. 

Mrs. Ellmers. Thank you, Mr. Chairman. And thank you, Mr. 
Chao, for being with us today. 

Mr. Chao, I have a question about the subsidies, and some ques- 
tions about some miscalculations that could be happening on the 
Exchange. Press reports have indicated that some subsidies are 
being miscalculated. In fact, one individual the President identified 
as a beneficiary of Obamacare now can’t afford it. And, Mr. Chair- 
man, I would ask unanimous consent to submit an article from 
CNN to the committee for the record. 

[The information follows:] 
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(CNN) - Jessica Sanford, the Washinyton State woman cited by Presidcftt Barack Oboms as on Obamacare success story, received more bad r*ews Tuesday. Oniciats with 
the state's health exchange checked on her case and said she will not ((ualify for assistance in buying insurance. 
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Pan of her message was read by the President ala Rose Carden event at the a White House on October 21. 
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Dui in the days that followed that presidential shout-out. Sanford received letters from Washington slate's insurance exchange, notifying her she did not qualify for a tax 
emdit she was originally loldshewould be gening. 

After looking into Sanford's matter, officials with tite exchange admit they made a mistake calculating her benefit, along with those for thousands of other Washington 

state residents. 

"The Exchange would like to sincerely apologize to Jessieu Sanford and all those affected in Washington State by this error," Washington Health BeneOt Exchange C1£0 
Richard Onizuka said in a statement pruvid^ to CNN. 

"Unfortunately, Jessica .Sanford is one of the individuals who is afTected by this ux credit miscalculation,'' he added. 

A 48 year old self-employed court reporter and single mollwr of a teenage son with ADHD. Sanford .said it’s now unlikely she will be able to afford to buy insurance. 
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.Sanford said the White House officird ofiered to help "in any way ," 

Asked about Sanford's .sio^'' While Jlouse press secretary- Jay Carney said the administralion regrcB the mtx-up. 

”We are certainly sonty as wc van be that Jesska b one of ihc folks that has been affected by this," Carney said. 

Sanford, an Obama and health tare reform supporter, said “ycjr. I do" when asked ifehangesneed tobemade to the AITordableC^ Act lo help people like her. 
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Mrs. Ellmers. OK. This is a single mom, has a teenage son with 
ADHD, went on the Washington State Exchange, had gotten an in- 
surance quote for what she would pay at a gold price. Then she re- 
ceived notification that it was actually — the quote was actually 
higher for a silver plan. More confusion went on. Then even a 
cheaper plan at bronze level for $324. So, in other words, she ended 
up paying a lot more. 

I guess in my questioning for you is, is this happening on the 
Healthcare.gov site or the Federal Marketplace? 

Mr. Chao. I think there are a lot of inputs to how an advanced 
premium tax credit is calculated. A person can come back and 
make some modifications to their income levels, to their household 
composition. So — and Washington is a State-based marketplace, so 
I can’t really speak 

Mrs. Ellmers. Um-hum. 

Mr. Chao [continuing]. For that particular case, but I think that 
Healthcare.gov allows people the flexibility to try several ways 

Mrs. Ellmers. Um-hum. 

Mr. Chao [continuing]. To determine, you know, what their tax 
credit is. 

Mrs. Ellmers. OK, you know, and there again, I am just going 
based off the article. It doesn’t seem to be that she had gone back 
to make any changes, it sounded to me like, you know, there were 
miscalculations that she was notified of So again, my questioning 
is, is this happening in the Federal Exchange? 

Mr. Chao. I would need some specifics to be able to answer that. 

Mrs. Ellmers. OK. 

Mr. Chao. I think that if anyone ever does have issues with be- 
lieving that their subsidies were incorrectly calculated, they could 
certainly call our call center to try to find out if it was correct or 
not. 

Mrs. Ellmers. So that is basically, you know, I am just asking 
how someone would address that, or how that would happen, if 
there were miscalculations then you could speak to someone per- 
sonally and 

Mr. Chao. Yes, we have both the call center and what we call 
an eligibility support work 

Mrs. Ellmers. Um-hum. Do you know if this is what is hap- 
pening? 

Mr. Chao. I 

Mrs. Ellmers. Have you heard any reports of 

Mr. Chao. I think there are many calls to the call center for 
many different reasons. 

Mrs. Ellmers. Um-hum. 

Mr. Chao. I don’t know exactly, you know, I can’t tell you there 
were 10 cases today or 

Mrs. Ellmers. Um-hum, OK. 

Mr. Chao. But if you 

Mrs. Ellmers. CGI — well, we can move on. I appreciate that. 
CGI, the contractor responsible for building Healthcare.gov, can 
you explain your role with them in the last weeks of September? 
Did you, you know, were you in contact with them, were you work- 
ing with them one-on-one, were you in their office? 
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Mr. Chao. Yes, I actually — I moved down to Herndon and lived 
in a hotel from September 10 to about the last week of October 

Mrs. Ellmers. Um-hum. 

Mr. Chao [continuing]. And I worked at CGI almost every day. 

Mrs. Ellmers. So you were actually there in their offices, work- 
ing out of their offices? OK. 

Mr. Chao. Yes. 

Mrs. Ellmers. One of the things that — I have got about a 
minute left on my time. The President announced a tech surge to 
fix the Web site. Who is involved in that surge? 

Mr. Chao. There — Todd Park is involved 

Mrs. Ellmers. Um-hum. 

Mr. Chao [continuing]. And there are two fellows, one by the 
name of Mikey Dickerson, and another by the name of Greg 
Gershman. 

Mrs. Ellmers. Do you know about their compensation? How are 
they being compensated? 

Mr. Chao. I have no insight to that. 

Mrs. Ellmers. Um-hum. Do they have a contract or did they 
have to sign an agreement? 

Mr. Chao. I don’t know. 

Mrs. Ellmers. Who do these individuals report to? 

Mr. Chao. I am not — actually, I am not sure who they have a 
contract with, or whether if they 

Mrs. Ellmers. So — but you are in charge of the technical compo- 
nent to Healthcare.gov, and they don’t report to you? 

Mr. Chao. No, they are part of a tech surge team that is being 
led by Jeff Zients. 

Mrs. Ellmers. OK. 

Mr. Chao. Right. 

Mrs. Ellmers. So Jeff Zients is really the person that they are 
reporting to? 

Mr. Chao. Right. 

Mrs. Ellmers. OK, thank you very much. 

Mr. Chairman, my time has expired. 

Mr. Murphy. Gentlelady yields back. 

Now go to Mr. Olson for 5 minutes. 

Mr. Olson. I thank the Chair. Welcome, Mr. Chao. 

As you can imagine, sir, folks back home in Texas 22 have one 
simple question: Why, why, why did Healthcare.gov roll out on Oc- 
tober 1 when most people in CMS, including yourself and every 
contractor writing codes and doing the testing, said stop, stop, stop, 
stop. We need more time. This Red Team document is frightening. 
I refer you to page 4 of the document, terms like limited end-to- 
end testing, parallel stacking of all phases. Stacking is vertical not 
parallel. Insufficient time and scope of end-to-end testing. Launch 
at full volume. And I refer you to a 7/16 email which you said you 
were worried that, and this is a quote, “crash the plane takeoff.” 

With all due respect, sir, it never got to the runway. It was still 
waiting at the ramp there, waiting for the pilots, the bags, the fuel, 
waiting for new tires. Using your analogy and my record as a naval 
aviator, Healthcare.gov was a “hangar queen,” never ready to fly. 

I do want to talk about — the folks back home I work for are most 
concerned about protection of their personal health information. 
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With so little testing, they are concerned about the lack of security 
control assessments, SCA’s. And my question is, I will refer you to 
the document brief there, and on — please turn to tab 2, sir. My 
question concerns — you guys said that — this is a document you 
wrote for Ms. Tavenner, that you needed a 2-part mitigation plan. 
And part 2 is basically, you said, 1 of the recommended steps is to 
“conduct a full SCA test on the FFM in a stable environment where 
all security controls can be tested within 60 to 90 days of going live 
on October 1.” The FFM will not be completed by November 30, so 
how can you conduct a full test of the SCA within 60 days of open 
enrollment? How could that happen when you are losing 30 days 
right off the bat? 

Mr. Chao. I think the 60 to 90 days refers to the inclusion of the 
final piece that needs to be built. What we mentioned earlier, 
which I just want to say that it is actually 30 percent of the sys- 
tems are left to be developed, not 70 percent, and that 30 percent 
represents the payment aspect and the accounting aspects of mak- 
ing payments in the marketplace, for all marketplaces, not just for 
Federally Facilitated Marketplaces, and that that functionality has 
to be in place for the January 1 effective date enrollments. And so 
I think once we have that completed, we could do a full SCA across 
the entire system. 

Mr. Olson. But, sir, the document says October 1 rollout, 60 to 
90 days after that. And apparently right now, we are going back 
to at least November 1 at the earliest for the rollout. I don’t see 
how you get 60 days or 90 days of testing before we are going live 
again. 

And one further question about the SCA’s. How many SCA’s did 
you identify and fix before the rollout on October 1, how many have 
been identified and fixed after rollout, and how many are still out 
there. What is the scope that my constituents should be worried 
about? 

Mr. Chao. The most important aspect is that there were no high 
findings in the SCA tests as of the October 1 rollout. And as I men- 
tioned earlier, I read off a list of mitigation activities that we go 
over and above any system that we put into — we deploy and put 
in operations and monitor on a daily basis. 

Mr. Olson. When can you assure us that a full SCA will be con- 
ducted system-wide? Ever? 

Mr. Chao. When the last pieces of the system are completely 
built, which is not — ^you know, I don’t want people to think that 
there hasn’t been a full SCA. A full SCA has been conducted on the 
pieces that were needed for October 1 for eligibility enrollment. We 
have yet — we still have to build the financial management aspects 
of the system, which includes our accounting system and payment 
system and reconciliation system. Those will also have security 
testing involved as well. 

Mr. Olson. And the full end-to-end 

Mr. Chao. Testing 

Mr. Olson [continuing]. Testing, the whole, full system, when 
can we expect that to occur, sir? What date? 

Mr. Chao. I don’t have an exact date, but it should be in — some 
time in December. 

Mr. Olson. So 2013, not 2014, 2015, 2016? 
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Mr. Chao. Correct. 

Mr. Olson. 2013. OK, sir. One final question, and I want to refer 
back to your email from July 16 about needing to feel more con- 
fident about Healthcare.gov. I am assuming that some time in the 
last 4 months you got that confidence. What gave you that con- 
fidence? What was the trigger mechanism, when did that happen? 
Something changed in the last 4 months. 

Mr. Chao. I didn’t say anything about having more confidence. 
I am always cautious, which is what I was trying to say earlier is 
that, until this is fixed, until the vast majority of people have a 
good experience going through here, and we have people who want 
to enroll, get enrolled, particularly for January 1, I am going to 
continue to focus on that along with the rest of the team. And, you 
know, and so it is not really about confidence level right now, it 
is about focusing on fixing the problem. 

Mr. Olson. And so we are not fine yet. The hangar queen is still 
at the hangar. 

I yield back the balance of my time. 

Mr. Murphy. I thank the gentleman for yielding back. 

What we are going to do is give each side 5 more total minutes, 
because Ms. DeGette has a couple of clarifying questions, I have a 
couple of clarifying questions. If anybody from my side needs some 
time, we will do that real quick. 

Ms. DeGette. 

Ms. DeGette. Thank you, Mr. Chairman. 

Mr. Chao, I want to thank you for coming and spending the 
morning with us. I am going to try to be quick because I would like 
you to get back to wherever you are going and make this thing 
work. OK. 

The first thing I want to clear up, because even though I thought 
we established it, my friends on the other side continued to ask you 
about this McKinsey document at tab 1, and I just want to clarify. 
You didn’t — you weren’t part of this Red Team evaluation, is that 
right? 

Mr. Chao. Correct. 

Ms. DeGette. And you didn’t really see this document until 
today, is that correct? 

Mr. Chao. Correct. 

Ms. DeGette. So there were a lot of questions people asked you, 
hypothetical questions people asked you about this evaluation that 
you really don’t know the answer to because you weren’t involved 
in the process and you didn’t see the document until today, right? 

Mr. Chao. Correct. 

Ms. DeGette. Now, as I understand it, this evaluation was done 
in March/April 2013. Is that your understanding as well, this 
McKinsey evaluation? 

Mr. Chao. It is approximately that time. 

Ms. DeGette. And do you have any knowledge of what that eval- 
uation was supposed to be for? Was it a snapshot in time or do you 
even know? 

Mr. Chao. From the interviews that I had with McKinsey, it was 
about really 2 things. One was, I spent some time helping 
McKinsey understand the program. 

Ms. DeGette. Uh-huh. 
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Mr. Chao. Meaning how it worked, where we were in terms of 
status and schedule. I don’t — I suppose it also includes a point in 
time kind of an assessment, because I educated them on exactly 
what was happening up to the date 

Ms. DeGette. Up to that time. Now, on page 4 of this assess- 
ment, I don’t really want you to respond to this because you 
weren’t involved in the document, but I do want to point out, there 
were a lot of questions that were asked today about the current sit- 
uation, evolving requirements, multiple definitions of success, et 
cetera, but the people who were asking those questions today didn’t 
talk about the last thing, which is in bold letters in a box, that says 
CMS has been working to mitigate challenges resulting from pro- 
gram characteristics. This was in March or April. And so without 
telking about this document necessarily, but I think what your tes- 
timony — what your job is really to identify issues throughout and 
try to mitigate them, is that right? 

Mr. Chao. Correct. 

Ms. DeGette. And that is what you have tried to do throughout. 

Mr. Chao. It is a constant mitigation set of activities 

Ms. DeGette. And the administration has said it is going to try 
to have the Federal Exchange site working for 80 percent of the 
people by the end of November. Is that right? That is what we have 
been reading in the press. 

Mr. Chao. That is what the press quoted. 

Ms. DeGette. OK. 

Mr. Chao. I think what we have been saying is the vast majority 
of 

Ms. DeGette. All right, and do you believe that that is a reason- 
able goal at this point? 

Mr. Chao. I think that is an attainable goal, given what I have 
seen so far. 

Ms. DeGette. Do you think it is going to happen? 

Mr. Chao. I don’t think there are any guarantees. I think we are 
still in a stage where we are trying to apply as much due diligence, 
acquiring additional assistance, the tech surge, looking at perform- 
ance, fixing the functional defects, along with making sure that se- 
curity monitoring is an ongoing basis. So I think there is still a lot 
of moving parts that it wouldn’t be prudent to give 100 percent 
guarantees about where we are going to be at on an exact date 

Ms. DeGette. Well 

Mr. Chao [continuing]. But I think we are on the right track. 

Ms. DeGette. You are — OK, but what I will say to you is, truly, 
and you have heard this from all of us, all of us were disappointed 
that it didn’t work on October 1. I am sure you were too. 

Mr. Chao. Very. 

Ms. DeGette. And so we need this to be essentially working 
ASAP. For one thing, people who want insurance coverage as of 
January 1 have to sign up by December 15. So if it is not working 
for the vast majority of people by the end of November, that is 
going to be hard to do. Understood? 

Mr. Chao. We certainly understand that. 

Ms. DeGette. OK. One last thing. Someone had asked you the 
question — or had made the assertion that 60 percent of the site 
was not working, but I am told that is not really accurate, that it 
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is really about 30 percent that is not working, and most of that is 
the backend which is the payment to insurance companies. So that 
is not necessarily the part that has to be working at this moment. 
Is that correct? 

Mr. Chao. Yes, it is not that it is not working, it is still being 
developed and tested. 

Ms. DeGette. ok. 

Mr. Chao. Right. 

Ms. DeGette. But that is the payment to the insurance compa- 
nies. 

Mr. Chao. Correct. 

Ms. DeGette. Right. 

Mr. Chao. Which involves testing with Treasury 

Ms. DeGette. OK. 

Mr. Chao [continuing]. And others. 

Ms. DeGette. All right. Thanks, Mr. Chairman. 

Mr. Murphy. Thank you. 

Recognize myself for 5 minutes. 

Just let me follow up here that — then what you are saying this 
30 percent is yet to develop on the payment end. On October 1, the 
day this went live, how much of the site was developed at that 
time? 

Mr. Chao. Probably — well 100 percent of all the priorities that 
were set for by the business for October 1, it was up and running. 
Mr. Murphy. OK, but what about the other parts? 

Mr. Chao. I think there was a reprioritization associated with, 
like, the shop employer, shop employee and the Spanish Web site 
that was 

Mr. Murphy. But it was crashing for everybody. We have heard 
that it wasn’t designed for that many people, it didn’t pass a stress 
test, it never had end-to-end testing, and you are saying it was 100 
percent ready? 

Mr. Chao. No, it 

Mr. Murphy. I just want to make sure I understand. What 

Mr. Chao. When I — it was 100 percent built, meaning 

Mr. Murphy. One hundred percent built, but 

Mr. Chao. Or the 

Mr. Murphy [continuing]. Just not working. 

Mr. Chao. Yes, working functionally and 

Mr. Murphy. Well, then it is not built. 

Mr. Chao [continuing]. Performing well, that 

Mr. Murphy. If a car is built but you can’t run the car, that car 
is not built. If a Web site isn’t working, it is not built. 

Mr. Chao. Well, I am certainly not going to sit here and try to 

tell you that it was working well. So I do 

Mr. Murphy. Yes, but you said on October 1 it was 100 percent 
built. I really need to know because you had said before you wish 
you had had more time, and you had just said to Ms. DeGette that 
your job was to identify issues and mitigate them. And since you 
would have liked to have had more time, and your job was to miti- 
gate them, would you have liked to have seen this whole report 
from McKinsey that identified the problems so you didn’t have to 
find them out? 
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Mr. Chao. I don’t — I — actually, I don’t think it was necessary be- 
cause I think this report was for — really for Marilyn Tavenner and 
others, and it was written for that level of consumption and that 
audience. 

Mr. Murphy. But you haven’t seen this so you don’t know. Or 
do you know? 

Mr. Chao. I am just assuming that that is why I wasn’t 

Mr. Murphy. OK, I just want you to stick with facts you know. 
So — well, what I am seeing here is from March on, Marianne 
Bowen, Jim Kerr, Todd Park, Brian Spivack, Michelle Snyder, 
Gary Cohen, Bill Corr, Mike Hash, Aryana Khalid, Katherine 
Sebelius, William Schultz, Michelle Snyder, Marilyn Tavenner, 
Mark Childress, Jeanne Lambrew and Ellen Montz all had brief- 
ings on this. Are those any people you work with? 

Mr. Chao. I have been in meetings with several of those folks. 

Mr. Murphy. Some of them. Since March and April? 

Mr. Chao. Yes. 

Mr. Murphy. And none of them raised any of these concerns to 
you, and you identified yourself that your job was to identify issues 
and mitigate them, but none of them identified 

Mr. Chao. Within 

Mr. Chao [continuing]. That, with all of these interviews and the 
200 documents reviewed, that there were these problems? 

Mr. Chao. Within my day-to-day operational, you know, require- 
ments to manage the contract, to manage schedule, to manage staff 
and 

Mr. Murphy. Yes, but what you don’t measure, you can’t man- 
age. And so I am concerned that this list of people who you work 
with were not communicating to you this document that you knew 
something existed because you, indeed, were interviewed on it 
yourself, but here we have this messy rollout that didn’t work, that 
crashed, that only 6 people signed up the first day, and we still are 
concerned about problems, and yet it is puzzling to me why these 
key people just didn’t talk to you about it. They gave you no hints 
that this existed? 

Mr. Chao. Perhaps that — I just was not included in certain dis- 
cussions. 

Mr. Murphy. Well, if you knew then what you know now, would 
you have spoken up more with regard to rolling out this Web site 
on October 1? 

Mr. Chao. I wish I had the luxury of a time machine to go back 
and change things, but I can’t do that. 

Mr. Murphy. I understand that, but it is a matter that — did you 
ask someone at that time for more time? 

Mr. Chao. No. 

Mr. Murphy. Why not? 

Mr. Chao. Because my direction 

Mr. Murphy. From? 

Mr. Chao [continuing]. Was from Marilyn Tavenner, is to deliver 
a system on October 1. 

Mr. Murphy. So Marilyn Tavenner said deliver October 1. She 
had been in on these briefings from McKinsey that said there were 
serious problems. She was in at least 2 of them I believe. And this 
was at HHS Headquarters on April 4, she was there, and also at 
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the Eisenhower Executive Office Building on April 6. She was 
there, she was briefed on these problems. She said move it for Oc- 
tober 1, and you, as the man who is in charge of making sure this 
works, she didn’t tell you that those problems existed. Is that what 
you are saying today? 

Mr. Chao. I can’t comment on that. I 

Mr. Murphy. It is — well, it is either she told you or she didn’t 
tell you. I am just curious. 

Mr. Chao. I don’t think she told me in the context of this brief- 
ing. I think we have status meetings all the time in which we talk 
about ways to mitigate and to 

Mr. Murphy. You — so you met with her frequently over those 
months, but she never brought up the extent of these concerns? 

Mr. Chao. Not the McKinsey report, no. 

Mr. Murphy. OK. 

Mr. Chao. I think we talked about certainly about issues and 
priorities for October 1. 

Mr. Murphy. I see. 

Well, I have no further questions, so, Mr. Chao, I appreciate you 
spending so much time with us today. We are going to take a real 
quick 5-minute break. We recognize our next panel of witnesses 
has been sitting here for a while, so we will be right back in 5 min- 
utes. 

And thank you again, Mr. Chao. 

Mr. Chao. Thank you. 

[Recess.] 

Mr. Murphy. All right, this hearing is reconvened. 

I would now like to introduce the witnesses in the second panel 
for today’s hearing, and thank you all for being so patient and 
waiting. 

Our first witness is Jason Providakes. He is the Senior Vice 
President and General Manager for the Center for Connected Gov- 
ernment at MITRE Corporation. He is also the Director of the Cen- 
ters for Medicare and Medicaid Services Alliance to Modernize 
Medicare. Our second witness is Maggie Bauer. She is the Senior 
Vice President of Health Services at Creative Computing Solutions, 
Inc., also known as CCSi. She has extensive operations manage- 
ment experience in consulting, program management, IT infra- 
structure services, software development, lifecycle and end-user 
support on service-level drive performance-based programs. And 
our third witness is David Amsler. He is the Founder, President 
and Chief Information Officer at Foreground Security, Inc. He has 
more than 15 years of IT security experience, and he oversees the 
overall customer-centered vision and direction of Foreground Secu- 
rity, its industry-leading offerings and day-to-day operations. 

I will now swear in the witnesses. 

You are all aware that the committee is holding an investigative 
hearing, and when doing so, has the practice of taking testimony 
under oath. Do you have any objections to testifying under oath? 

Ms. Bauer. No 
Voices. No. 

Mr. Murphy. All the witnesses are in the negative there. The 
Chair then advises you that under the rules of the House and the 
rules of the committee, you are entitled to be advised by counsel. 
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Do any of you desire to be advised by counsel during your testi- 
mony today? 

Voices. No. 

Mr. Murphy. And all the witnesses have said no. In that case, 
would you please rise, raise your right hand and I will swear you 
in. 

[Witnesses sworn.] 

Mr. Murphy. And all the witnesses responded, “I do.” 

You are now under oath and subject to the penalties set forth in 
Title XCIII, Section 1001 of the United States Code. 

You may now give a 5-minute opening summary of your state- 
ment, Mr. Providakes. 

STATEMENTS OF JASON PROVIDAKES, SENIOR VICE PRESI- 
DENT, CENTER FOR CONNECTED GOVERNMENT, THE MITRE 

CORPORATION; MAGGIE BAUER, SENIOR VICE PRESIDENT, 

CREATIVE COMPUTING SOLUTIONS, INC.; AND DAVID 

AMSLER, PRESIDENT AND CHIEF INFORMATION OFFICER, 

FOREGROUND SECURITY, INC. 

STATEMENT OF JASON PROVIDAKES 

Mr. Providakes. Yes. All right, well, good morning. Chairman 
Murphy, and Ranking Member DeGette. My name is Jason 
Providakes, and I am here today on behalf of the MITRE Corpora- 
tion. I serve as the director of the not-for-profit. Federally funded 
research and development center, operated by MITRE and spon- 
sored by the U.S. Department of Health and Human Services. 

The MITRE Corporation is chartered in the public interest to 
apply systems engineering skills and advanced technology, to ad- 
dress issues of critical national importance. We accomplish this 
through operation of research and development centers that sup- 
port our Government sponsors with scientific research and develop- 
ment, analysis and systems engineering and integration as well. 

Known as Federally funded research development centers, they 
are operated under a set of rules and constraints proscribed by the 
Federal acquisition regulations. The rules are designed to preserve 
the FFRDC’s objectivity and dependence and freedom from conflict 
of interest. 

MITRE operates FFRDC centers for seven Federal agency spon- 
sors. We were awarded the contract to operate the CMS Alliance 
to Modernize Healthcare center about a year ago following a com- 
petitive bid. The center was charged with assisting CMS in mod- 
ernizing its operation, and supporting the implementation of health 
reform, and the expansion of health care to millions of Americans. 

MITRE serves as a technical, independent objective advisor to 
CMS. We have been supporting CMS successfully since about 2005 
on a contract basis, prior to the establishment of the new center. 
We advise on health IT, helped plan and develop future policies, we 
provide technical evaluations and objective evaluation of business 
models, and assess new technology. 

As part of its efforts to establish Healthcare.gov, CMS asked 
MITRE to conduct security assessments on parts of the site. And 
I appreciate the opportunity to clarify what our role was in assist- 
ing CMS on Healthcare.gov. We provide CMS with information se- 
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curity support and guidance under two contracts; the Office of In- 
formation Systems, and Enterprise Information Systems Group. 
Pursuant to tasks issued under those contracts, MITRE performed 
a total of 18 security control assessments, or SCA’s, for components 
across the range of CMS enterprise systems. Most of these were 
performed on supporting infrastructure and development compo- 
nents. Six of the SCA’s were directly related to Healthcare.gov, and 
were performed between September of 2012 and September of 
2013. 

MITRE performs various tasks as part of overall support for 
CMS enterprise security maintenance. A limited amount of that 
support is in the form of external penetration testing relative to 
CMS Web sites, including Healthcare.gov. MITRE is not in charge 
of security for Healthcare.gov. We were not asked nor did we per- 
form end-to-end security testing. We have no view on the overall 
safety or security status of Healthcare.gov. 

MITRE did not and does not recommend approval of — or dis- 
approval of an authority to operate. Deciding whether and when to 
grant an ATO is inherently a governmental function that derives 
from the Government’s assessment of overall risk posture. In this 
case, the Government made its ATO decisions based on a large set 
of inputs and factors, among which were 6 SCA’s performed by 
MITRE. We do not have visibility into the many other factors that 
went into the Government’s ATO decision. CMS did not advise 
MITRE whether or when ATO’s were granted for the marketplace 
components being tested. In this case, the Government made its 
ATO decisions based on a large set of data. 

Again, we were not asked to conduct end-to-end testing, rather 
we tested specific parts of Healthcare.gov, under a set of specific 
parameters established by CMS. We worked alongside the CMS- 
designated contractor in the course of testing to remediate risks as 
high, and in almost all cases, we succeeded. Our testing was ac- 
complished in accordance with standard SCA engineering meth- 
odologies. In each case, we assessed component security control 
risks against CMS-defined security control parameters, on a high, 
moderate to low scale, and we recommended appropriate risk miti- 
gations. 

On site security control assessment, testing typically begins on a 
Monday and wraps up within a week. The tests against CMS-de- 
fined security control parameters, over the course of 5 days of test- 
ing, MITRE identifies the risk and assigns a remediation priorities 
for risks judged to be high and moderate levels. Security testing is 
designed to flush out and pinpoint the security weakness of a dig- 
ital information system. This enables corrective remediations to be 
applied, and also allows the system operator to make necessary 
business judgments and tradeoffs about the overall system. 

Because our role in performing the security control tests was lim- 
ited in both time and scope, MITRE has no insight into how as- 
sessed security control risks were handled, or what other risks may 
have surfaced subsequent to the date of testing. Judgments about 
the potential impact of assessed security control risks on overall 
system operation or performance were business judgments made by 
CMS as part of the operating authority. 
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Through our broader partnership with the Federal Government, 
we remain committed to assisting CMS in working to enhance the 
care and delivery of health care for all Americans. 

I would be happy to respond to your questions. Thank you. 

[The prepared statement of Mr. Providakes follows:] 
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HOUSE COMMITTEE ON ENERGY AND COMMERCE 
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS 
STATEMENT OF THE MITRE CORPORATION 
November 19, 2013 

Good morning Chairman Murphy, Ranking Member DeGette and distinguished members 
of the committee. My name is Jason Providakes and I am here today on behalf of The 
MITRE Corporation. I serve as the director of the not for profit Federally Funded 
Research and Development Center (FFRDC), operated by MITRE and sponsored by the 
U.S. Department of Health and Human Services. 

The MITRE Corporation is chartered in the public interest to apply systems engineering 
skills and advanced technology to address issues of critical national importance. We 
accomplish this through the operation of research and development centers that support 
our government sponsors with scientific research and development, analysis, and systems 
engineering and integration. Known as Federally Funded Research and Development 
Centers, they are operated under a set of rules and constraints prescribed by the Federal 
Acquisition Regulations (FAR). The rules are designed to preserve the FFRDC’s 
objectivity, independence and freedom from conflict of interest. 

MITRE operates FFRDC centers for seven federal agency sponsors. We were awarded 
the contract to operate the CMS Alliance to Modernize Healthcare center about a year 
ago, following a competitive bid process. The center is charged with assisting CMS in 
modernizing its operations and supporting the implementation of health reform and 
expansion of health care to millions of Americans. 

MITRE serves as a technical independent, objective advisor to CMS/HHS. We have 
been supporting CMS/HHS successfully since 2005 on a contract basis prior to the 
establishment of the new center. We advise on Health IT; help plan and develop future 
policies; provide technical evaluation and objective evaluation of business models; and 
assess new technology. 

As part of its efforts to establish HealthCare.gov, CMS asked MITRE to conduct security 
assessments on parts of the site. I appreciate this opportunity to clarify what our role was 
in assisting CMS on HealthCare.gov. 

We provide CMS with information security support and guidance under two contracts 
with the Office of Information Systems (OIS), Enterprise Information Security Group 
(EISG). Pursuant to tasking issued under those contracts, MITRE performed a total of 
18 Security Control Assessments, or SCAs, for components across a range of CMS 
enterprise systems. Most of these were performed on supporting infrastructure (utilities) 
and development components. Six of the SCAs were directly related to HealthCare.gov 
and were performed between September 17, 2012 and September 20, 2013. 
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MITRE performs various tasks as part of our overall support for CMS enterprise security 
maintenance. A limited amount of that support is in the form of external penetration 
testing relative to CMS websites including HealthCare.gov. 

MITRE is not in charge of security for HealthCare.gov. We were not asked, nor did we 
perform “end-to-end” security testing. We have no view on the overall “safety” or 
security status ofHealthCare.gov. 

MITRE did not and does not recommend approval or disapproval of an Authority to 
Operate (ATO). Deciding whether and when to grant an ATO is an inherently 
governmental function which derives from the government’s assessment of overall risk 
posture. In this case, the government made its ATO decisions based on a large set of 
inputs and factors, among which were the six SCAs performed by MITRE. We do not 
have visibility into the many other factors that went into the government’s ATO decision. 
CMS did not advise MITRE whether or when ATOs were granted for the Marketplace 
components tested. In this case, the government made its ATO decisions based on a 
large set of data. 

Again, we were not asked to conduct end-to-end testing. Rather, we tested specific parts 
ofHealthCare.gov within specific parameters established by CMS. We worked alongside 
the CMS-designated contractor in the course of testing to remediate risks assessed as 
“high,” and in almost all cases we succeeded. 

Our testing was accomplished in accordance with standard SCA engineering 
methodologies. In each case, we assessed component security control risks against CMS- 
defined security control parameters on a high-moderate-low scale, and we recommended 
appropriate risk mitigations. On-site Security Control Assessment testing typically 
begins on a Monday and wraps up within the week. It tests against CMS defined security 
control parameters. Over the course of the five days of testing, MITRE identifies risks 
and assigns remediation priorities for risks judged to be at high and moderate levels. 

At the committee’s request, we previously made available to committee staff the final 
reports of the six Security Control Assessments relevant to HealthCare.gov. Security 
testing is designed to flush out and pinpoint the security weaknesses of a digital 
information system. This enables corrective remediations to be applied and also allows 
the system operator to make the necessary business judgments and tradeoffs about the 
overall system. 

By definition and design. Security Control Assessment reports will typically contain 
data that, in the hands of a malicious actor, could be used to compromise the security 
and privacy of information stored on the affected site. It was, of course, no different 
in the case of the SCAs performed on HealthCare.gov components. We accordingly 
redacted from our delivered documents portions that essentially could serve as a 
technical roadmap to a hacker bent on causing harm. 
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We also would like the committee to understand and appreciate that, even with the 
redactions, the information contained in the delivered materials could pose a 
significant risk to the confidentiality of consumer information accessible through 
HealthCare.gov. 

Because our role in performing the security control tests was limited in both time and 
scope, MITRE has no insight into how assessed security control risks were handled or 
what other risks may have surfaced subsequent to the date of testing. Judgments about 
the potential Impact of assessed security control risks on overall system operations or 
performance were business judgments made by CMS as the operating authority. 

Through our broader partnership with the federal government, we remain committed to 
assisting CMS in working to enhance the care and delivery of health care for all 
Americans. 

I would be happy to respond to your questions. Thank you. 
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Mr. Murphy. Thank you. 

Now turn to Ms. Bauer for her opening statement. 

STATEMENT OF MAGGIE BAUER 

Ms. Bauer. Good afternoon, Chairman Murphy, Ranking Mem- 
ber DeGette. My name is Maggie Bauer, and I am a Senior Vice 
President at Creative Computing Solutions, Inc., CCSi. 

I have responsibility for CCSi’s Federal health contracts, includ- 
ing the Centers for Medicare and Medicaid Services, Veterans Af- 
fairs, the Department of Health and Human Services National In- 
stitutes of Health, and the Military Health Service. 

In addition to health-related services, CCSi delivers program and 
project management services, cyber security services and enterprise 
systems engineering, exclusively to the Federal Government. 

CCSi was founded in 1992 by Dr. Manju Bewtra. 

In August of 2012, CMS awarded CCSi a contract to provide se- 
curity oversight of the CMS e-cloud. The e-cloud refers to CMS’s 
virtual data center, which hosts systems and applications that sup- 
port the Affordable Care Act. Foreground Security is their subcon- 
tractor, and we function as a fully integrated team. 

CCSi’s role on this contract is to provide security operations mon- 
itoring and management, including 24 by 7 by 365 security moni- 
toring from a secure operation center, otherwise known as a SOC. 
We monitor the perimeter firewalls and network devices for the e- 
cloud, and we scan applications for security incidents. These scans 
do not measure or track availability, up/downtimes or latency. If 
we detect an anomaly, we follow the CMS-approved incident re- 
sponse plan procedures for identified security incidents, such as 
network security configuration flaws or vulnerabilities in the net- 
work, security devices or in applications. CCSi’s contract does not 
extend to remediating security incidents. 

CCSi’s scope of work includes configuration, tuning, monitoring 
and management of CMS Government-furnished equipment that 
resides in the Verizon Terremark security monitoring zone. We re- 
view log files, we conduct event analysis, we provide reporting on 
security incidents, all of this under the direction and supervision 
of CMS. 

Activities involving the development, scaling, testing, release or 
administration of the Federal Exchange Program, Healthcare.gov, 
the Federal Exchange, or the Eederally Eacilitated Marketplace are 
not within the scope of our contract. 

I would be pleased to answer any questions that you have. 
Thank you. 

[The prepared statement of Ms. Bauer follows:] 
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Good morning Chairman Upton, Ranking Member Waxman and 
distinguished members of the Committee. My name is Maggie Bauer and I 
am a Senior Vice President at Creative Computing Solutions, Inc, (CCSi). I 
have responsibility for CCSi’s federal health contracts, including: Centers 
for Medicare and Medicaid Services (CMS); Veterans Affairs (VA); the 
Department of Health and Human Services (HHS) National Institutes of 
Health (NIH) and the Military Health Service (MHS). In addition to health- 
related services, we deliver program and project management services, 
cyber security services, and enterprise systems engineering exclusively to 
the federal government. CCSi was founded in 1992 by Dr. Manju Bewtra. 

In August of 2012, CMS awarded CCSi a contract to provide security 
oversight of the CMS eCloud. The eCloud refers to CMS’s virtual data 
center which hosts systems and applications that support the Affordable 
Care Act. CCSi was competitively awarded this contract in August 2012 
under the Alliant Small Business (SB) Government-wide Acquisition 
Contract (Alliant SB GWAC) which is a Multiple Award, Indefinite Delivery, 
Indefinite Quantity (IDIQ) contract vehicle. Foreground Security Services 
(FGS) is our subcontractor on this contract. Together, we are an integrated 
team of 22 staff members, 6 of whom are CCSi employees and 16 of whom 


work for FGS. 
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CCSi’s role on this contract is to provide security operations monitoring and 
management including 24x7x365 security monitoring from a Security 
Operations Center (SOC). We monitor the perimeter firewalls and network 
devices for the eCloud and we scan applications for vulnerabilities. These 
scans do not measure or track availability, up/down times or latency. If we 
detect an anomaly, we follow the CMS approved Incident Response Plan 
(IRP) procedures for identified network security configuration flaws and 
vulnerabilities in network and security devices and in applications. CCSi's 
contract does not extend to remediating any security configuration flaws or 
vulnerabilities in the network infrastructure nor does it include remediation 
of any vulnerability discovered in applications. 

CCSi’s scope of work also includes configuration, tuning, monitoring and 
management of CMS government furnished equipment (GFE) that resides 
in the Terremark security monitoring zone. We review iog fiies, conduct 
event analysis, and provide reporting on security incidents under the 
direction and supervision of CMS. 

Examples of the functions that CCSi performs under this contract include: 

• Detecting malicious activity, preventing unauthorized access to 
systems, and recommending threat protections 
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• Maintaining, patching operating and tuning CMS security appliances, 
tools and services to prevent and detect intrusions 

• Ensuring that systems are configured for routine scans and import 
scan results into security monitoring tools to assess system risk 

• Maintaining baseline configuration of the information system and 
monitor for unexpected changes to the baseline 

• Planning and supporting integration of security components of 
existing tools 

Activities involving the development, scaling, testing, release or 
administration of the Federal Exchange Program System, “healthcare.gov, ’’ 
the “Federal Exchange” or the Federally Facilitated Marketplace or “FFM" 
are not within scope of our contract. 


I would be pleased to answer any questions that you have. Thank you. 
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Mr. Murphy. Thank you, Ms. Bauer. 

Mr. Amsler, you are recognized for 5 minutes. 

STATEMENT OF DAVID AMSLER 

Mr. Amsler. Thank you, sir. 

Chairman Murphy, Ranking Member DeGette, members of the 
subcommittee, good afternoon and thank you for inviting me to tes- 
tify at this hearing on the security of the Web site, Healthcare.gov. 

I am the president and chief information officer of Foreground 
Security. I also founded the company. We provide cyber security 
consulting, training and services for both private-sector and Gov- 
ernment agencies. Our clients include Fortune 100 companies, 
smaller but highly targeted firms, and Government agencies. 

We defend our customers against an increasingly intricate threat 
and threat actors, through an integrated approach that entails 
building security architecture and assessing, monitoring and re- 
sponding to attacks against our customer environments. 

Foreground Security is a small but growing dedicated cyber secu- 
rity business located in Herndon, Virginia, and Florida. Our rough- 
ly 100 employees are highly trained and committed to serving our 
clients. 

Foreground Security is one of the companies hired to help de- 
velop a robust operational security management program for the 
new virtual data center created to implement the Affordable Care 
Act. We are subcontracted to our teammate. Creative Computing 
Solutions, Inc., or CCSi, which is the prime contractor for the Cen- 
ters for Medicare and Medicaid Services. 

Our role with CCSi includes a number of objectives relating to 
the security environment of Healthcare.gov. I think of our role as 
encompassing 3 phases. First is the creation of the security moni- 
toring environment. This entailed getting key staff in place, identi- 
fying needed security monitoring software and hardware, and 
building out a dedicated security operation center, or SOC, from 
which all monitoring is performed. Second is building those secu- 
rity monitoring capabilities identified in phase 1 into the cloud en- 
vironment itself. This has been the most challenging part of our 
contract, in large part because we have had to construct security 
monitoring capabilities while the system itself is being built. Our 
work on this phase continues. And third is actually monitoring the 
environment, which itself can be thought of as having two compo- 
nents. One is day-to-day, continuously searching for malicious ac- 
tivities including reporting and defending against them when they 
do occur. The other is monitoring known malicious actors or groups 
in advance of attacks to proactively identify the techniques or tac- 
tics they may be using or planning to use to compromise this envi- 
ronment. These are our main and State responsibilities relating to 
the security environment. 

We have worked very closely with CMS and Verizon Terremark 
on all phases of our work. CMS reviews and approves any capa- 
bility we place in the environment, and Verizon Terremark, as the 
host of the environment, helps determine what security measures 
are placed in the virtual data center. 

Prospective on our role is important. While our work for CMS is 
essential, it is narrowly focused, and we were not involved in the 
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design of the site, developing the software that runs it, or its ad- 
ministration. To that end, we do not monitor the site for perform- 
ance purposes. Foreground Security is just 1 member of the secu- 
rity team, in addition to the other companies represented today 
here on this panel, Verizon Terremark, URS, CGI and QSSI, all 
play key roles in developing and testing the security of 
Healthcare.gov. 

I am proud of the work that Foreground Security has undertaken 
and continues to undertake in order to allow families and individ- 
uals looking for health insurance to use the Healthcare.gov Web 
site, secure in the knowledge that their personal information is 
being protected with state-of-the-art monitoring and defenses. To 
this point. Foreground Security has fulfilled its obligations to CMS 
on time and under budget. We are dedicated to secure the oper- 
ation of Healthcare.gov, and take extremely serious the obligations 
to the public trust. 

I welcome any questions you may have. 

[The prepared statement of Mr. Amsler follows:] 
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Chairman Murphy, Ranking Member DeGette, members of the 
Subcommittee, good afternoon and thank you for inviting me to testify at this 
hearing on the security of the web site, HealthCare.gov. I am the President and 
Chief Information Officer of Foreground Security, Inc. I also founded the 
company, which provides cyber-security consulting, training and services for both 
private sector and government entities. Our clients include Fortune 100 
companies, smaller but highly-targeted firms, and government agencies. We 
defend our customers against increasingly intricate threats and threat actors 
through an integrated approach that entails building security architecture and 
assessing, monitoring, and responding to attacks against our customer 
environments. 

Foreground Security is a small but growing, dedicated cyber-security 


business located in Herndon, Virginia and Florida. Our roughly 100 employees are 
highly-trained and committed to serving our clients. 
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Foreground Security is one of the companies hired to help develop a robust 
operational security management program for the new virtual data center created to 
implement the Affordable Care Act. We are a subcontractor to our teammate, 
Creative Computing Solutions, Inc. — or “CCSI” — ^which is the prime contractor 
for the Centers for Medicare and Medicaid Services (“CMS”). 

Our role with CCSI includes a number of objectives relating to the security 
environment ofHealthCare.gov. I think of our role as encompassing three phases. 
First, is the creation of the security monitoring environment. This entailed getting 
key staff in place, identifying needed security monitoring software and hardware, 
and building out a dedicated securities operations center, or “SOC”, from which all 
monitoring is performed. 

Second, is building those security monitoring capabilities identified in phase 
one into the cloud environment itself. This has been the most challenging part of 
our contract, in large part because we have had to construct security monitoring 
capabilities while the system itself is being built. Our work on this phase 
continues. 

And third, is actually monitoring the environment, which itself can be 
thought of as having two components. One is day-to-day, continuous searching for 
malicious activities, including reporting and defending against them when they 
occur. The other is monitoring known, malicious actors or groups in advance of 
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attacks to proactively identify techniques or tactics they may be using or planning 
to use to compromise this environment. These are our main, end-state 
responsibilities relating to the security environment. 

We have worked very closely with CMS and Verizon/Terremark on all 
phases of our work. CMS reviews and approves any capability we place in the 
environment and Verizon/Terremark, as the host of the environment, helps 
determine what security measures are placed in the virtual data center. 

Perspective on our role is important. While our work for CMS is essential, it 
is also narrowly focused, and we were not involved in the design of the site, 
developing the software that runs it, or its administration. To that end, we do not 
monitor the site for performance purposes. Foreground Security is just one 
member of the security team. In addition to the other companies represented today 
on this panel, Verizon/Terremark, URS, CGI, and QSSI all play key roles in 
developing and testing the security ofHealthCare.gov. 

I am proud of the work that Foreground Security has undertaken — and 
continues to undertake — in order to allow families and individuals looking for 
health insurance to use the HealthCare.gov site, secure in the knowledge that their 
personal information is being protected with state-of-the art monitoring and 
defenses. To this point. Foreground Security has fulfilled its obligations to CMS 
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on time and under budget. We are dedicated to the secure operation of 
HealthCare.gov and take extremely seriously our obligations to the public trust. 
I welcome any questions you may have. 
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Mr. Murphy. Thank you, Mr. Amsler. 

Couple of questions I want to begin with. First of all, I will start 
with you, Mr. Amsler. You were here throughout Mr. Chao’s testi- 
mony, all three of you were. Do you have any concerns about any 
comments that were made by Mr. Chao? 

Mr. Amsler. I wouldn’t have any specific concerns 

Mr. Murphy. Ms. Bauer? 

Mr. Amsler [continuing]. I would like to voice. 

Ms. Bauer. No. 

Mr. Murphy. Mr. Providakes? 

Mr. Providakes. No concerns. 

Mr. Murphy. All right. Mr. Amsler, you had said that in addition 
to the other companies represented today in this panel, Verizon 
Terremark, URS, CGI and QSSI, all played key roles in developing 
and testing the security of Healthcare.gov. Are you also referring 
to Ms. Bauer’s company played a role in this? 

Mr. Amsler. I view them as our teammate, I view them as one 
of us. 

Mr. Murphy. Because I thought in her testimony she said that 
they were not that involved. So let me ask you, with this many 
companies involved, who did you all report to? 

Mr. Amsler. Well, our customer was CMS, and the security 
team 

Mr. Murphy. Person. Is there a person? 

Mr. Amsler. Our direct Government technical lead, his name is 
Tom Shankweiler. 

Mr. Murphy. And with regard to this, with all of these compa- 
nies involved playing key roles in developing and testing security, 
is that typical to have so many companies involved as opposed to 
one that is trying to do the end-to-end work on this? 

Mr. Amsler. Well, we have experienced all sizes of implementa- 
tions. This one is obviously, certainly one of the largest that I have 
ever seen undertaken. I have certainly seen lots of people involved, 
but probably not this many. 

Mr. Murphy. Mr. Providakes, is this typical to have so many 
companies involved in dealing with the security in a site? 

Mr. Providakes. Not really number of companies that were in- 
volved, but having two or three is not untypical to have on the 
complexity of a site like this. 

Mr. Murphy. I just wondered if that added to the complexity of 
trying to monitor security of the site. 

Mr. Providakes. If it is well-managed from a program perspec- 
tive — 

Mr. Murphy. Was it well-managed? 

Mr. Providakes. I would not know. 

Mr. Murphy. From your perspective? 

Mr. Providakes. I don’t — we weren’t involved in that level of in- 
sight on that. I believe, you know 

Mr. Murphy. All right, Ms. Bauer, were you involved in that 
level, and was it well-managed from your point of view? 

Ms. Bauer. Our management from CMS has been on a very reg- 
ular basis. We have daily meetings, in fact, since Healthcare.gov 
went live. Those meetings actually began, or ramped up I should 
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say, to hourly and then back to way to about every 4 hours, and 
now they are on a shift basis of three times a day. 

Mr. Murphy. Well, you just said activities involving the develop- 
ment, scaling, testing, release or administration of the Federal Ex- 
change Program system, Healthcare.gov, the Federal Exchange or 
the Federally Facilitated Marketplace, or FFM, are not within the 
scope of your contract. So you were not involved in the security 
issues involved with those Web sites? 

Ms. Bauer. The security, yes, but not the development, scaling, 
or testing of the Healthcare.gov applications, per se. 

Mr. Murphy. Were you involved with the testing of the security? 

Ms. Bauer. Yes. 

Mr. Murphy. And was it working? 

Ms. Bauer. Yes. 

Mr. Murphy. At October 1? 

Ms. Bauer. Everything that was under our scope. 

Mr. Murphy. Under your scope. 

Ms. Bauer. Yes 

Mr. Murphy. But in terms of 

Ms. Bauer [continuing]. Was functioning. 

Mr. Murphy [continuing]. How it relates to other parts, you don’t 
know? 

Ms. Bauer. I would not know that. 

Mr. Murphy. OK. Mr. Amsler, how about for you, were your 
parts working OK in your individual part, and was that also tested 
with regard to the others? 

Mr. Amsler. Congressman, to be clear, as far as our work is con- 
cerned, our focus worked around operational monitoring security 
and some testing, we absolutely were working. I can’t speak to the 
rest of the groups and the teams that were involved in develop- 
ment, or even the SCA 

Mr. Murphy. What I am trying to find out, was that 

Mr. Amsler [continuing]. People who were not involved. 

Mr. Murphy [continuing]. Typical, atypical, and would you be 
concerned about how your parts worked in conjunction with the 
site overall, or is that not typically a question you would ask? Well, 
it is like this: If you design a part for a car and you know your 
part is working, would you like to know if the car works? 

Mr. Amsler. Absolutely. 

Mr. Murphy. And so that is what I am asking all of you, would 
you have liked to have known that if your segments may have 
worked on their own, but you didn’t know whether or not it worked 
at the whole system security. Is that correct, Mr. Providakes? 

Mr. Providakes. Well, that would be correct. 

Mr. Murphy. Ms. Bauer? 

Ms. Bauer. Yes. 

Mr. Murphy. OK. Mr. Providakes, CMS adopted the security 
controls you developed, correct? 

Mr. Providakes. That is correct. 

Mr. Murphy. And are these controls embedded in the applica- 
tions at the direction of CMS? 

Mr. Providakes. They were assessed, but yes, they were embed- 
ded for the configuration changes would be made based on the con- 
figuration controls. 
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Mr. Murphy. And at what point of the application development 
phase should security controls begin to be embedded into the appli- 
cation? 

Mr. Providakes. Well, at the production phase. Generally, when 
we test with an SCA, we are assuming that we are looking at the 
production-ready version of the application, and then we apply 
those CMS security controls we talked about and assess those 
against the production-ready version of that application. 

Mr. Murphy. Are they embedded into the architecture of 
Healthcare.gov? 

Mr. Providakes. The overall CMS enterprise security controls 
are to be applied across all the systems of Healthcare.gov. 

Mr. Murphy. So they should be embedded then into 
Healthcare.gov? 

Mr. Providakes. It should be. 

Mr. Murphy. Were they? 

Mr. Providakes. I have no way of knowing that. 

Mr. Murphy. Ms. Bauer, do you know if they were? 

Ms. Bauer. I do not know. 

Mr. Murphy. Mr. Amsler? 

Mr. Amsler. I wouldn’t know the answer to that. 

Mr. Murphy. OK. But you all worked on these security parts. We 
don’t know if they were embedded and you don’t know if anybody 
did testing, but you would have liked to have seen that. Am I cor- 
rect with all of you? 

Mr. Providakes. No, just parts. Just some parts. 

Mr. Murphy. Ms. Bauer, correct? 

Ms. Bauer. Correct 

Mr. Murphy. Mr. Amsler? 

Mr. Amsler. Correct. 

Mr. Murphy. Thank you. 

And now I will yield to Ms. DeCette for 5 minutes. 

Ms. DeCette. Thank you, Mr. Chairman. 

As Mr. Chao testified, it is part of CMS’s protocols that they hire 
independent contractors to test different parts of the security as- 
pects of the site. Is that your understanding as well, Mr. 
Providakes? 

Mr. Providakes. Yes, it is. 

Ms. DeGette. And is it yours, Ms. Bauer? 

Ms. Bauer. Yes. 

Ms. DeCette. And is it yours, Mr. Amsler? 

Mr. Amsler. Yes. 

Ms. DeCette. So, Mr. Providakes, I want to ask you first. You 
testified your company was not hired to perform end-to-end secu- 
rity testing, is that correct? 

Mr. Providakes. That is correct. 

Ms. DeCette. And so what your job was to assess and identify 
risks and specific components of Healthcare.gov, to work with CMS 
and to address those concerns and report on the findings and re- 
sults. Is that correct? 

Mr. Providakes. That is correct. 

Ms. DeCette. And am I correct that in virtually all cases, when 
you did identify high risks in Healthcare.gov components, CMS was 
able to mitigate those risks before the system went live? 



108 


Mr. Providakes. Yes. Almost all the high risks were mitigated. 

Ms. DeGette. And you said in your testimony — in your written 
testimony, MITRE is not in charge of security for Healthcare.gov. 
We were not asked, nor did we perform, end-to-end security test- 
ing. We have no view of the overall safety or security status of 
Healthcare.gov. That is because you were only asked to do a nar- 
row assessment of part of it, right? 

Mr. Providakes. A narrow assessment in scope and in a time 
that is 

Ms. DeGette. In time. 

Mr. Providakes. In time. 

Ms. DeGette. Now, I just want to ask you, what is your personal 
view of the overall safety or security of Healthcare.gov, having 
worked on this, at least some aspects of it? 

Mr. Providakes. Well, my personal perspective 

Ms. DeGette. Uh-huh. 

Mr. Providakes [continuing]. Knowing CMS experience in the 
past, as Henry Chao alluded to, they do a very solid job in terms 
of securing their systems — 

Ms. DeGette. And 

Mr. Providakes [continuing]. Historically. 

Ms. DeGette. And what you were doing was part of the same 
types of things CMS has done to secure their systems in the 
past 

Mr. Providakes. That is correct. 

Ms. DeGette [continuing]. Is that right? 

Mr. Providakes. That is correct. 

Ms. DeGette. Ms. Bauer — now, as I understand it, Mr. Amsler, 
your company works sort of as a subcontractor of Ms. Bauer’s com- 
pany. Is that right? 

Mr. Amsler. Yes. 

Ms. DeGette. OK. So what you folks do is your company — CCSi 
monitors the firewalls and network devices for the e-cloud that 
hosts Healthcare.gov, and scans the Web site’s application for secu- 
rity vulnerabilities. Is that correct? 

Ms. Bauer. That is correct. 

Ms. DeGette. And on October 22, you briefed this committee, 
and I want to ask you, at that time, had you detected any activity 
that you would consider to be out of the ordinary for a system like 
this? 

Ms. Bauer. Not out of the ordinary, no. 

Ms. DeGette. OK. And are you continuing to monitor the Web 
site moving forward? 

Ms. Bauer. Yes, we continue to perform all the functions of our 
contract. 

Ms. DeGette. And why is that? 

Ms. Bauer. I am sorry? 

Ms. DeGette. Why are you continuing to monitor the functions? 

Ms. Bauer. Because that is the scope of our contract, is to con- 
tinually — 

Ms. DeGette. OK. And have you 

Ms. Bauer [continuing]. Monitor it. 

Ms. DeGette. Have you detected any activity since October 22 
that you considered to be out of the ordinary? 
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Ms. Bauer. We would detect activity on a daily, if not hourly 
basis. That is part of the nature of security monitoring. Whether 
it is extreme or out of the ordinary, there is nothing that has been 
brought to my attention that would 

Ms. DeGette. And would that be then reported to CMS? 

Ms. Bauer. Yes, there is an incident response plan, and we fol- 
low the procedures of that plan. 

Ms. DeGette. And have you seen anything that would indicate 
some terrible problem with the Web site vis-a-vis security? 

Ms. Bauer. Nothing that I have seen or that has been escalated 
to me, no. 

Ms. DeGette. OK. And there is another contractor as I under- 
stand that has also been asked to look at other aspects, and that 
is Verizon. They are not here today. Is that your understanding as 
well? 

Ms. Bauer. Yes. Yes. 

Ms. DeGette. So Ms. Bauer, has your company worked with 
CMS before? Mr. Providakes said his has on security issues. 

Ms. Bauer. No, we have not, but we 

Ms. DeGette. OK. 

Ms. Bauer [continuing]. Have other security work. 

Ms. DeGette. OK. And Mr. Amsler, what about your company? 

Mr. Amsler. Not directly for CMS 

Ms. DeGette. OK. 

Mr. Amsler [continuing]. But other HHS 

Ms. DeGette. OK, so you wouldn’t know whether this is — kind 
of mirrors other security activity with CMS. But, Mr. Providakes, 
you are telling me that, with what your company has done before, 
you are seeing a similar concern and readiness for security applica- 
tions? 

Mr. Providakes. Well, what I said was that following CMS’s ap- 
proach towards security, they do execute, you know, 10, 20 , 70 
SCA’s a year that we actually executed for CMS. So part of their 
process is, before they execute an ATO, they look for the input of 
these SCA’s, which is a very rigorous process, a definition, defined 
in a parameter in a moment of time that we would conduct these 
SCA’s for CMS as input to the ATO process. 

Ms. DeGette. Right. OK, thank you. 

Thanks, Mr. Chairman. I appreciate it. 

Mr. Murphy. Let me ask clarification of something Ms. DeGette 
said. 

Mr. Providakes. Sure. 

Mr. Murphy. She asked you a question about CMS and their 
work on this, and you used the word historically. Were you refer- 
ring then to the Healthcare.gov Web site or in the past they were? 

Mr. Providakes. No. In the past. Broadly across CMS in terms 
of their security rigor that they apply across their systems. 

Mr. Murphy. Thank you. 

Mr. Olson, you are recognized for 5 minutes. 

Mr. Olson. I thank the Chair. I mostly want to thank the wit- 
nesses for your patience being here. It has been a long day, I know 
that. 
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Very brief questions. I mean, getting Healthcare.gov up and run- 
ning is not rocket science, and that is good because if it were, we 
would still be waiting to land on the moon over 50 years later. 

You may have seen the McKinsey report, the Red Team report. 
Have you all seen that? 

Ms. Bauer. I have not. 

Mr. Olson. OK. I will get the copies to you. I just want to ask 
some questions about the report. And I apologize that you haven’t 
seen it, but it compares on page 4 ideal, large-scale programs and 
the current state of Healthcare.gov. And I want to — just some yes- 
or-no questions, do you agree with the statements from this report. 
And again, it is compared to large-scale program development ideal 
program with the characteristics of Healthcare.gov. The first ideal 
situation, clear articulation of requirements and success metrics in 
Healthcare.gov, evolving requirements and multiple definitions of 
success. Do you agree with those assessments that that is ideal, 
and that is what has happened with Healthcare.gov, Mr. 
Providakes? Yes or no, sir? Don’t want to put you on the spot. 

Mr. Providakes. It is very difficult to answer that question. Is 
that a hypothetical question in terms of 

Mr. Olson. Hypothetical, yes, sir. I mean the ideal program is 
in clear articulation and has that happened on Healthcare.gov? 

Mr. Providakes. In the best world, you would love to have clear 
articulated requirements upfront that you can design to, build to, 
test to, and that would be great, although it is rare, but that would 
be great. 

Mr. Olson. OK, involving requirements with Healthcare.gov, has 
that been a problem? 

Mr. Providakes. I am not sure of the number of requirements. 
I would think there were quite a number of requirements for 
Healthcare.gov. 

Mr. Olson. Ms. Bauer? 

Ms. Bauer. I would — just having looked at it briefly, I would 
agree with 

Mr. Olson. I apologize for that, ma’am. 

Ms. Bauer. I would agree with the description of ideals — the 
ideal situation, however, I wouldn’t have insight into the current 
situation because that involves the development of 
Healthcare.gov 

Mr. Olson. OK. 

Ms. Bauer [continuing]. Which is not within the scope of our 
contract. 

Mr. Olson. Mr. Amsler? 

Mr. Amsler. I would — ideal is — I agree with ideal. Again, we 
weren’t involved in those aspects, so I couldn’t speak to it. 

Mr. Olson. How about the program that ideal is sequential re- 
quirements design, build and testing, integration, revision between 
phases, and what the current situation is parallel stacking of all 
phases. Do you agree, Mr. Providakes? I apologize, sir, for not 

Mr. Providakes. That is fine. If 

Mr. Olson [continuing]. Pronouncing — would idealism work? 

Mr. Providakes. It would create significant challenges to the 
program office to deliver that. 

Mr. Olson. Has there been parallel stacking? 
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Mr. Providakes. It would be a significant challenge to do that. 

Mr. Olson. Ms. Bauer? 

Ms. Bauer. I would agree with that statement. 

Mr. Olson. Mr. Amsler? 

Mr. Amsler. Agree. 

Mr. Olson. OK, how about interim integrated operations and 
testing is ideal. I think we all agree with that. And what has hap- 
pened is insufficient time and scope of end-to-end testing. Would 
you all agree with those statements, yes or no? 

Mr. Providakes. I guess in the context you put it, you are saying 
is there a limited end-to-end testing, and given the fact that you 
have a hard date, I would surmise they had limited time to end- 
to-end testing. It doesn’t mean you couldn’t have done it, it just 
meant there is limited time to do it. 

Mr. Olson. Ms. Bauer? 

Ms. Bauer. Yes, generally I would agree. I would have no insight 
though into what the increments were as regards to schedule, but, 
you know, you could create milestones and achieve ideally just 
about any goal if you create the milestones and achieve them on 
the way to the goal. 

Mr. Olson. Mr. Amsler? 

Mr. Amsler. End-to-end testing for me is pure security. That is 
the world we live in, and that is the world that we only live in. 
We can achieve a lot testing along the way, but I would certainly — 
I always shoot for ideal. Ideal would be end-to-end testing. 

Mr. Olson. And ideal a limited initial launch or a full launch? 
Not ideal. Last question. Yes or no, do you agree with those state- 
ments? Launching at full volume is not very good, limited initial 
launch what we should be seeking? 

Mr. Providakes. Well, limited launch increases the risk, obvi- 
ously, than a full. It is an increased risk. 

Mr. Olson. Yes. Ms. Bauer? 

Ms. Bauer. I would actually suggest that perhaps a limited 
launch would have had a lower risk, and that a full launch may 
have a larger risk, whatever system you would be deploying. 

Mr. Olson. Mr. Amsler? 

Mr. Amsler. I agree with Ms. Bauer’s statement. 

Mr. Olson. Well said, sir. 

And one final question. Again, I am not trying to put you on the 
spot, but with all your knowledge about how this program rolled 
out, are you comfortable putting yourselves’ and your families’, put- 
ting your personal information into Healthcare.gov? 

Mr. Providakes. I have. 

Mr. Olson. You are comfortable? Yes. 

Mr. Providakes. That is a personal choice that you have to 
make based on, in my case, where knowing the limited amount of 
personal information I put up there and other information, I feel 
comfortable personally, but that might not apply to everyone. 

Mr. Olson. Ms. Bauer, yes or no, ma’am, comfortable? 

Ms. Bauer. Yes. 

Mr. Olson. Mr. Amsler? 

Mr. Amsler. I am actually very happy with my current health 
care. 

Mr. Olson. Oh boy, you are trying to open a hornet’s nest there. 
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Mr. Murphy. Well, too bad you can’t keep it. 

Mr. Olson. That is my time. 

Mr. Murphy. What it comes down to. Gentleman’s time has ex- 
pired. 

Ms. DeGette, you have a clarifying question? 

Ms. DeGette. Thank you, Mr. Chairman. 

The questions that Mr. Olson was asking you folks were on this 
McKinsey document that we spent so much time with the last wit- 
ness talking about, tab 1 of the notebook. Have you seen that re- 
port before, Mr. Providakes? 

Mr. Providakes. I am familiar with this report. 

Ms. DeGette. OK. Ms. Bauer, have you seen it? 

Ms. Bauer. No, I have not. 

Ms. DeGette. And, Mr. Amsler, have you seen it? 

Mr. Amsler. I have not. 

Ms. DeGette. OK. So, Mr. Providakes, the 2 of you — Ms. Bauer 
and Mr. Amsler, any answers you were giving were really just 
based on speculation, since you haven’t seen it and weren’t in- 
volved with it, is that right? 

Ms. Bauer. Yes. 

Ms. DeGette. Mr. Amsler? 

Mr. Amsler. That is correct. 

Ms. DeGette. OK, Mr. Providakes, so Mr. Olson was asking you 
about some of these recommendations. This is from last spring. It 
was a snapshot in time. On page 4 of that report, at the bottom 
where he was talking about evolving requirements, multiple defini- 
tions of success, et cetera. 

Mr. Providakes. Um-hum. 

Ms. DeGette. The part he forgot to mention, which was the part 
also I noticed they forgot to mention when the previous witness 
was up, is the part that is in the box in bold type at the bottom 
of all of those current situation bullets, which says, CMS has been 
working to mitigate challenges resulting from program characteris- 
tics. Do you see that? 

Mr. Providakes. I do see it. 

Ms. DeGette. What does that mean to you? 

Mr. Providakes. Well, it means to me that they recognize the 
risks and the challenges of the program, and they were looking at 
options or mitigation approaches that would minimize the risks. 

Ms. DeGette. So CMS hired McKinsey to do an evaluation of the 
program and come up with some concerns that they could then 
work to mitigate. Is that right? 

Mr. Providakes. Only what I — ^yes. 

Ms. DeGette. And that is the same reason they hired your com- 
pany to do security assessments, is to find places where there 
might be problems, and to make recommendations that they could 
then work to mitigate. Is that right? 

Mr. Providakes. That is correct. Identify risks, mitigate risks. 

Ms. DeGette. And in your view, at least the recommendations 
your company made, did they, in fact, work to mitigate those risks? 

Mr. Providakes. In the context of the SCA, yes. 

Ms. DeGette. Thank you very much, Mr. Chairman. I have no 
further questions. 
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Mr. Murphy. OK, had you seen this document before today, Mr. 
Providakes? 

Mr. Providakes. I am familiar of the document. It has been a 
while. 

Mr. Murphy. But — so you are familiar. So when they say they 
have been working to mitigate challenges, you are personally 
aware that some of these mitigations were taking place, or you are 
just saying so today? 

Mr. Providakes. No, I had no idea of what mitigation — whether 
they took the recommendations of this or not 

Mr. Murphy. I was curious because you were drawing a conclu- 
sion, but I didn’t know if you had — so that is based upon 

Mr. Providakes. Based upon 

Mr. Murphy [continuing]. Just a guess today, OK. 

Mr. Providakes. Exactly, yes. 

Mr. Murphy. Quick thing. Mr. Amsler, while developing the se- 
curity measures for the cloud environment, have you encountered 
any challenges at all? 

Mr. Amsler. Certainly lots of challenges along the way. Con- 
gressman, did you mean more implementing them or certain 
things? 

Mr. Murphy. Some things that are different from what you are 
used to here, or anything standing out to you that is a concern with 
regard to the cloud environment or the security there? 

Mr. Amsler. Well, the cloud in and of itself brings a unique set 
of challenges that any — us in the industry are all trying to deal 
with. It 

Mr. Murphy. That is a system that you can’t necessarily correct 
right now with a cloud environment. On its own, it is a secure con- 
cern. 

Mr. Amsler. Agreed. It is our biggest — one of our biggest chal- 
lenges that we are facing as an industry today, that being the 
cyber security industry. 

Mr. Murphy. Who is in charge of that cloud environment? 

Mr. Amsler. Verizon Terremark is, and I assume you mean actu- 
ally owns it 

Mr. Murphy. Yes. 

Mr. Amsler [continuing]. And controls it. 

Mr. Murphy. And how difficult is it to develop these security 
measures while the system is being built? 

Mr. Amsler. That would not be ideal. 

Mr. Murphy. Do you have all the tools and capabilities now to 
successfully and fully monitor this system? 

Mr. Amsler. I am a unique animal in that I live, eat and breathe 
cyber security, and as a company, we do 

Mr. Murphy. I understand. 

Mr. Amsler [continuing]. So we always strive for better. I am al- 
ways striving to make it the best that I can. 

Mr. Murphy. Do you have all the tools now you need to fully 
monitor the system? 

Mr. Amsler. We have a set of controls that exceed any standard 
set of controls 

Mr. Murphy. I understand you are trying to do a great job. I ap- 
preciate that. I am just trying to get a sense of have you been lim- 
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ited in any way in your ability to do all the things you would like 
to do with your excellent team in place? 

Mr. Amsler. There are some things that we have asked for that 
are not in place as of yet. 

Mr. Murphy. Tell me, such as what? 

Mr. Amsler. These were — they are very technical in nature. 
Again, we have a standard set of controls 

Mr. Murphy. Sure. 

Mr. Amsler [continuing]. Or we are shooting for more. 

Ms. DeGette. Mr. Chairman, we might want to have him give 
us that information 

Mr. Murphy. Yes, could you let us know that? 

Ms. DeGette [continuing]. And provide it. 

Mr. Amsler. I would be happy to. 

Mr. Murphy. Or is that something you would like to do in pri- 
vate instead of public? Would that be better? 

Mr. Amsler. I would be happy to get with my team and get with 
the 

Mr. Murphy. I appreciate that. Ms. Bauer, do you have all the 
tools necessary to fully 

Ms. Bauer. Well, our answers are essentially the same because 
we are an integrated team. 

Mr. Murphy. I see. 

Ms. Bauer. I would agree with Dave. 

Mr. Murphy. All right. And, Mr. Providakes, do you have all the 
tools necessary to fully do your work here? 

Mr. Providakes. Well, we are in a slightly different role, but, 
yes. 

Mr. Murphy. I see. So let me ask this then, with regard to how 
things are. Have there been any attempts under what you have 
monitored, Ms. Bauer and Mr. Amsler, any attempts to hack into 
the system that you can tell? 

Mr. Amsler. Congressman, the simple answer is yes. The longer 
answer is I don’t have an environment where it is not being at- 
tacked today, though. 

Mr. Murphy. I understand. So with regard to this, then, is the 
system now — are you saying that it is fully secure from external 
hackers trying to get in? 

Mr. Amsler. You know, I am never — we live in a world of not 
if but more when. 

Mr. Murphy. Um-hum. 

Mr. Amsler. That is the nature of the world we live in today. So 
I can never give you a guarantee that someone is not going to get 
in. It is probably going to happen at some point, but we have de- 
signed it to limit the damage and identify it as quick as possible. 

Mr. Murphy. So we can’t at this point sign off and say the sys- 
tem is fully secure. It is an ongoing process, you are saying? 

Mr. Amsler. It is an always ongoing process. Today I feel com- 
fortable with the capabilities we have put in place, but I am always 
striving for more. 

Mr. Murphy. I understand. And, Ms. Bauer, would you agree 
with that assessment? 

Ms. Bauer. I would. Dave is answering it from a very 
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Mr. Murphy. You have to talk into the microphone, I can’t hear 
you. 

Ms. Bauer [continuing]. Very technical perspective, but I would 
say that from our perspective with regard to the tools and appli- 
ances we have in place, right now today, the system is secure. As 
Dave says, security is always evolving, it is always dynamic and 
ongoing, and we are always going to want to do better and keep 
on top of the latest technology, the latest appliances, so it will al- 
ways be maturing. But as regards the scope of our contract and the 
appliances and tools and processes we have in place, we are con- 
fident — 

Mr. Murphy. I mean, I appreciate your standards of excellence, 
and I appreciate you understand this is an evolving process, but 
given the concerns for security, what I am hearing from you is no- 
body can really give 100 percent guarantee that this Web site is 
secure with regard to the data that it has in it, the personally iden- 
tifiable information as people put those things in there. No one can 
guarantee that some hacker isn’t going to try and get into it, and 
that they will continue to try and probe until they get through. Is 
that what you are saying? 

Mr. Amsler. But I also would say the same thing about 
Facebook or any banking Web site as well. 

Mr. Murphy. Sure. 

Mr. Amsler. It is just unfortunately the world we live in today. 

Mr. Murphy. I appreciate that. Same with you, Ms. Bauer? 

Ms. Bauer. Yes, and I think that the critical factor is the rigor 
with which we have procedures in place to identify any risks, any 
vulnerabilities, and then work to mitigate them. And we have very 
robust procedures in place for that. 

Mr. Murphy. Very good. Well, I appreciate the comments from 
the panel today, and I ask unanimous consent that the written 
opening statements of other members be introduced into the record, 
and without objection, those documents will be in the record. 

[The information follows:] 
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Committee on Energy and Commerce 
Subcommittee on Oversight and Investigations 

Hearing on “Security ofHealthcare.gov” 

November 19, 2013 

*** 

Statement for the Record 
Hon. G.K. Butterfield 

We can all agree that security of confidential personal information is critical to our 
constituents who are anxious to enroll in the Affordable Care Act. 

The Hub and Federally-facilitated Marketplace eligibility and enrollment system have 
clearly complied with a robust regulatory framework of rules, regulations, standards, and laws. It 
is clear that because the ACA no longer allows insurance discrimination based on preexisting 
medical conditions, enrollees no longer need to divulge personal medical information as they used 
to when applying for insurance. 

There is still much work to do to improve Healthcare.gov and get people enrolled by 
2014. But the website complications are connected to user volume and not security concerns. It is 
encouraging that so many want to access the website and enroll in the ACA. We must focus our 
efforts on giving the 137,000 uninsured in my district the tools to access affordable care and 
spread the word to help get them enrolled. While security is paramount to my constituents, this 
hearing distracts from the true mission of getting more people quality care. 



117 


Mr. Murphy. I also ask unanimous consent that the contents of 
the document binder be introduced into the record, and I authorize 
staff to make appropriate redactions. And without objection, the 
documents will be entered into the record with any redactions that 
staff determines are appropriate. 

[The information appears at the conclusion of the hearing.] 

Mr. Murphy. So in conclusion, I would like to thank all the wit- 
nesses and members that participated in today’s hearing. I remind 
members they have 10 business days to submit questions for the 
record, and I ask that the witnesses all please agree to answer 
promptly to the questions, and we will work out some mechanism 
to answer some of them in confidential, in-camera discussions. 

And with that, this hearing is concluded. 

[Whereupon, at 1:30 p.m., the subcommittee was adjourned.] 
[Material submitted for inclusion in the record follows:] 
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The Committee on Energy and Commerce 

Memorandum 



November 17, 2013 


TO: Members, Subcommittee on Oversight and Investigations 

FROM: Committee Majority Staff 

RE: Hearing on “Security ofHealthCare.gov” 

On Tuesday, November 19, 2013, at 10:15 a.m. in 2123 Rayburn House Office Building, the 
Subcommittee on Oversight and Investigations will hold a hearing entitled “Security of 
HealthCare.gov.” This hearing will focus on the issues surrounding the implementation of the 
Patient Protection and Affordable Care Act’s (PPACA) health insurance exchanges and the security 
ofHealthCare.gov. 

I. WITNESSES 

The following witnesses will testify at the hearing: 


Panel I: 

Mr. Henry Chao 

Deputy Chief Information Officer and Deputy Director of the Office of Information Services 
Centers for Medicare and Medicaid Services (CMS) 

Panel II: 

Mr. David Amsler 

President and Chief Information Officer 
Foreground Security, Inc. 

Ms. Maggie Bauer 

Senior Vice President, Health Services 
Creative Computing Solutions, Inc. (CCSi) 

Mr. Jason Providakes 

Senior Vice President and General Manager 
Center for Connected Government 
MITRE Corporation (MITRE) 
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The Committee invited Verizon Terremark Federal (Verizon Terremark) to testify at the hearing. 
Verizon Terremark informed the Committee on November 16, 2013, that it declined the 
Committee’s invitation to testify. 

II. BACKGROUND 

Over the last year, the Committee has asked Administration vritnesses about the status of 
HealthCare.gov and whether the administration was ready for the launch of open enrollment on 
October 1, 2013. For example, in her testimony to the Committee on August 1, 2013, CMS 
Administrator Marilyn Tavenner assured the Committee that “CMS has been conducting systems 
tests since October 2012 and will complete end-to-end testing before open enrollment begins.” 

After the failed October 1 launch, the Committee opened an investigation into the 
implementation of the PPACA and the failed launch of the HealthCare.gov website. On October 
10, 2013, the Committee sent letters requesting documents and certain information from the U.S. 
Department of Health and Human Services (HHS), CGI Federal, and Quality Software Services, 

Inc. (QSSI). After the Committee received documents indicating that the failure to conduct end-to- 
end testing prior to the October 1 launch presented certain security risks, the Committee sent letters 
on October 31, 2013, to HHS, MITRE, Verizon Terremark, CCSi, and Foreground requesting 
certain documents and information relating to the security of the Federally Facilitated Marketplace 
(FFM). 


In response to these letters, the Committee has received initial document productions and 
Committee staff briefings from CMS officials and contractors. The Committee’s investigation of 
the failed launch ofHealthCare.gov is ongoing. Part 11(A) of this memorandum provides 
background on the security-related aspects of Federal information technology systems 
development. Part 11(B) provides a summary based on the documents and briefings provided to 
date to the Committee of how FFM applications and HealthCare.gov were tested for security and 
CMS’ management of this process. 

A Overview of the Development of the Federally Facilitated Marketplace 

PPACA implementation has involved multiple government agencies and contractors. 
Agencies such as the CMS, Internal Revenue Service, Social Security Administration, U.S. 
Department of Homeland Security, and the Office of Personnel Management are involved in the 
implementation of the PPACA exchanges. In addition, the HHS has entered into contracts with 
organizations to assist with the creation and operation of such exchanges, including the FFM. 
These contractors also are tasked with developing the applications that integrate the various 
components of the FFM. 


Several contractors and various government officials play a role in the security of 
HealthCare.gov. The FFM is comprised of government agencies, user applications, data centers 
and State marketplaces. Each piece of the FFM infrastructure requires that security be imbedded 
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into the framework.' Ideally, functionality of the system complements the security, and the 
security is tested and improves as the system matures.^ 

Federally owned and operated IT systems must comply with several security standards. 

The Federal Information Security Management Act of 2002 (FISMA) outlines the basic 
requirements or framework for managing information security. Additionally, Federal IT systems 
must meet certain baseline security requirements. Agencies develop these baseline security 
requirements by establishing appropriate security controls and assurance requirements. Agencies 
have flexibility in applying the baseline security controls depending on the type of IT systems they 
manage.’ Agencies, therefore, must customize the security controls to optimize mission 
requirements within the IT environment,'* 

Once security baselines or security controls have been developed and tailored to the needs 
of the IT system, the application developers and IT network service providers can integrate the 
security baselines into the overall system. Once the individual applications are developed, they are 
subject to a stress test known as a Security Control Assessment (SCA). The purpose of the 
security assessments is to identify security deficiencies and validate whether the application 
properly embeds the security controls.’ These assessments may result in the recommendation of 
additional controls. Once a deficiency is identified, a finding is made and a level of risk is 
assigned to the finding. Additionally, if deficiencies are identified, they are mitigated if possible or 
a schedule is established in which the deficiencies are remediated. 

After the assessments are completed and the systems and applications are integrated into 
the IT network, additional security measures ensure that the IT systems protections remain robust. 
Several examples of these measures include continuous monitoring, configuration management, 
systems access controls, and detection capabilities. 

During the course of the Committee’s investigation of the implementation of the PPACA, 
the Committee has identified several contractors that work with CMS to develop and validate the 
security controls and monitor system traffics with various tools and procedures. The following is a 
description of the security-related work performed by the FFM contractors who will testify at the 
November 19 hearing: 

• MITRE was awarded a contract by CMS in November 2012. Under this contract, MITRE 
developed a Federal Facilitated Research and Develop Center (FFRDC) within CMS. One of 
the roles of the FFRDC was to develop the security control baselines for the exchanges. After 
MITRE developed these security controls, CMS disseminated the security controls to the 
contractors creating the applications for the FFM, which included CGI and QSSI. The 
contractors that developed the applications for HealthCare.gov were responsible for 


' See generally, NIST Federal Information Processing Standard (FIPS) Publication 199, Standards for Security 
Categorization of Federal Information and Information Systems, 2004. 

^ See generally, NIST Special Publication 800-53, Rev. 4, Security and Privacy Controls for Federal Information 
^sterns and Organizations, 2013. 

’ Special Publication 800-53, Rev. 4, Section 1.4 Organizational Responsibilities, p. 4. 

■* Special Publication 800-53, Rev. 4, Section 1,4 Organizational Responsibilities, p. 4-5. 

* MST Special Publication 800-30, Rev. 1, 2012, provides guidance on the risk assessment process. 
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incorporating the security controls into the design of the applications. Once the applications 
were close to completion, MITRE performed the SCAs. The timing and the scope of the SCAs 
were determined by CMS. These SCAs test the applications’ integration of the security 
baselines. Over the course of 2013, MITRE conducted four SCAs of FFM applications. For 
the FFM, the Enterprise Information Security Group (EISG) within the Office of Information 
Services (OIS) at CMS worked with MITRE to develop the risk assessments and oversees that 
they are conducted correctly. 

• Verizon Terremark provides CMS with managed infrastructure services for the Federal Data 
Services Hub (DSH). Verizon Terremark was awarded its contract with CMS in November 
2012. That contract will expire in March 2014. In this capacity, Verizon Terremark provides a 
quasi-private cloud computing environment which consists of hosting IT hardware within a 
virtualized network infrastructure housed in a large data center. The operating systems for the 
network infrastructure have security embedded in the physical architecture of their system. 

The applications developed by other contractors are then hosted on this infrastructure at the 
data center. CMS informed Committee staff that Verizon Terremark also provides external 
intrusion detection and perimeter security for the DSH. 

• CCSi and Foreground Security monitor the perimeter firewalls and network devices for the 
eCloud. In August 2012, CCSi was awarded a small business contract, and Foreground 
Security is their subcontractor under the contract. In addition, these companies are responsible 
for scanning the code of the various applications in order to identify any security 
vulnerabilities. CCSi and Foreground Security are required to report any incidents they 
identify directly to CMS for remediation. They are also responsible for configuring CMS- 
ftimished equipment within the Verizon Terremark eCloud. 

Within CMS, responsibility for security is divided between two offices. Security related 
issues with the software applications, or those applications that users interact with on the 
exchanges and in the FFM, are managed by the Consumer Information and Insurance Systems 
Group, Marketplace Security Group (MSG) at CMS. The MSG oversees the remediation of 
security configuration flaws and vulnerabilities in the network infrastructure and the business 
applications. This group is headed by Monique Outerbridge, who reports directly to Deputy Chief 
Information Officer (CIO) Henry Chao. The other office responsible for security, EISG, 
establishes the security baselines and oversees the performance of the SCAs. The EISG is headed 
by Theresa Fryer. CMS Chief Information Officer Tony Trenkle worked closely with the 
personnel in EISG to develop the security baselines and conduct the SCAs. Mr. Trenkle’s last day 
with the agency was November 1 5, 20 1 3. 

B. The Committee 's Investigation of the Seairity of HealthCare.gov 

Contracts for the design and development of two of the primary applications of 
HealthCare.gov - CGI and QSSI - were awarded by CMS in the fall of 201 1. Approximately one 
year later, CMS awarded contracts to MITRE, CSSi, Foreground, and Verizon Terremark to 
develop other components of the FFM, including those related to security. 
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Beginning in January 2013, MITRE conducted a SCA of the Enterprise Identity 
Management (EIDM) application developed by QSSL This SCA was completed on February 13, 
2013. According to the SCA report drafted by MITRE, several high risks were identified and all 
were mitigated. The SCA also stated that as the EIDM was due for a new release, which added 
“significant fimctionality” and required a new SCA to be performed, “MITRE strongly 
recommends that CMS perform a comprehensive SCA of alt subsequent releases of [the] EIDM . . 

. Documents produced to the Committee to date do not indicate whether MITRE’s 
recommendation to perform SCAs on subsequent releases of the EIDM was followed. 

In June 2013, pursuant to its contract, MITRE conducted an SCA of the Exchange 
Consumer Web Services (ECWS) developed by Aquilent. According to MITRE’s report issued on 
August 23, 2013, “[djuring and after the assessment, Aquilent technicians focused their efforts on 
remediating the findings, with an emphasis on closing High and Moderate risk-level findings.”’ 

In August 2013, MITRE conducted a SCA of the DSH. A MITRE report issued on this 
SCA on October 4, 2013, stated that MITRE identified several high risk findings and 
recommended that “[wjhile all findings will need to be addressed, findings representing a high risk 
to CMS data should be addressed first and closed or mitigating controls implemented to reduce the 
risk exposure to CMS.”* The DSH received its Authorization-to-Operate (ATO) &om CMS on 
September 6, 2013. 

The final SCA before the October 1 start of open enrollment began in August 2013 and was 
completed on September 19, 2013. During this SCA, MITRE examined the Health Insurance 
exchange (HIX) developed by CGI Federal. METRE informed Committee staff during a briefing 
that CMS had to modify the scope of this assessment by limiting the systems and applications to be 
tested, because several of them were not complete. In its final report on this SCA, issued October 
1 1, 2013, MITRE concluded that it was “unable to adequately test the Confidentiality and Integrity 
of the HIX system in full.”’ MITRE explained that, for purposes of the SCA, it was supposed to 
examine the “potential security risks to CMS” regarding applications and modules “not tested 
previously.” MITRE went on to note that “[cjomplete end to end testing of the HEX application 
never occurred.” Additionally, MITRE indicated in its report that at the time of the August- 
September SCA of the CGI HIX, several applications were still “being developed” and “impacted 
end to end MITRE test cases.”'** 

The findings of MITRE’s SCAs of the DSH and CGI’s HIX necessitated that CMS issue 
certain authorizations prior to the October 1 , 201 3, launch of HealthCare.gov. On September 3, 
2013, CMS CIO Trenkle issued an Authorization Decision for the FFM Qualified Health Plans and 
Dental modules. In this decision, the CIO determined that, based on the findings in the earlier 
SCA, “the risk to CMS information and information systems resulting fi'om the operation of the 


® CMS Enterprise Identity Management Security Control Assessment (SCA) Report, April 5, 2013. 

* CMS Exchange Consumer Web Service (ECWS) Security Control Assessment (SCA) Report, August 23, 2013, 

® CMS Federal Data Services Hub (DSH) Security Control Assessment (SCA) Report, October 4, 2013. 

” CMS Health Insurance exchange (HIX) August-September 2013, Security Control Assessment (SCA) Report, 
October 11,2013. 

CMS Health Insurance exchange (MX) August-September 2013, Security Control Assessment (SCA) Report, 
October 11, 2013. 
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FFM information system is acceptable.”*' The decision to accept the risks for the site to operate 
was predicated on a list of mitigation measures that were to be completed in the future. The ATO 
listed the specific security findings and the schedule for mitigating those risks: five were to be 
completed in 2014, and the sixth in 2015. 

As discussed earlier, the SCA conducted by MITRE of the CGI HIX in August and 
September revealed that no end-to-end testing was conducted prior to the beginning of open 
enrollment. During a briefing with Committee staff, CMS CIO Trenkle stated that given the high 
profile of the FFM and the risks associated with launching on October 1,2013, it was his 
recommendation that CMS Administrator Tavenner sign an ATO after he informed her of the risks 
to the FFM. CMS CIO Trenkle also signed a separate Decision Memorandum that stated the 
mitigation plan that was in place because of these risks “does not reduce the risk to the FFM 
system itself going into operation on October 1, 2013.”*^ In a separate briefing with Committee 
staff. Deputy CIO Chao explained that while he edited this memorandum, he was not familiar with 
the specific risks discussed in the memorandum because he had not seen the results of the SCA 
outlining the inability to test the system from end-to-end in a single environment. 

On the recommendation of CMS CIO Trenkle, on September 27, 2013, CMS 
Administrator Tavenner signed a memorandum acknowledging that the FISMA required that the 
FFM “successfully undergo a Security Control Assessment (SCA)” and that “[d]ue to system 
readiness issues, the SCA was only partly completed.” According to this memorandum, “[fjrora a 
security perspective, the aspects of the system that were not tested due to the ongoing 
development, exposed a level of uncertainty that can be deemed as a high risk for the FFM.” By 
signing this memorandum, CMS Administrator Tavenner recommended that CMS issue an 
“Authority-to-Operate” for six months that would allow the FFM to go forward with a mitigation 
plan in place and to perform a “complete SCA.” 


III. ISSUES 

The following issues will be examined at the hearing: 

• CMS’ management of the security of the FFM and the roles and responsibilities of the 
various contractors for the security of the FFM; 

• How the failure to perform complete end-to-end testing prior to the October 1, 2013, 
launch of HealthCare.gov affects the security of the FFM; 

• CMS’ current assessment of the security ofHealthCare.gov and whether vulnerabilities 
have been identified. 


IV. STAFF CONTACTS 


" Authorization Decision for the Federal Facilitated Marketplaces (FFM) System, from Director of OIS, September 
3,2013. 

“Federal Facilitated Marketplace Decision Memo Risk Acknowledgment Signature Page,” signed: T, Fryer, T. 
Trenkle, M, Snyder, dated: September, 27, 2013. 
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If you have any questions regarding this hearing, please contact Karen Christian, Carl 
Anderson, or Sean Hayes of the Committee staff at (202) 225-2927. 
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Centers for Medicare & Medicaid Serviccs-Red Team Discussion Document 
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Centers for Medicare & Medicaid Services, September 27, 20 1 3 

Memorandum; Federally Facilitated Marketpiace-DEClSiON 
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Centers for Medicare & Medicaid Services, September 3, 2013 Memorandum; 
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Email From: Henry Chao To and CC: other CMS officials, Subject: House 
Oversight and Government Reform Committee-Evaluating Privacy, Security, 
and Fraud Concerns with ObamaCare’s Information Sharing Apparatus, July 
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Subject: CGI Monthly Meeting Next Week, July 16, 2013 
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3 ' An impiementation leadership team and a consumer 
outreach team could drive implementation progress 
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DATE; 


TO: Marilyn Tavamer 

PROM: James Retr.CoMorfiumAdininisttator fin? Medicate HeaMb Plans Operations 

Hanry Chao, Deputy Chief Infinmarion OfiScer & Office of tofitrmation Services 
Deputy Director 

SUBJECT: FederaUyFadHtatedMarkelplace-DBCISION 


.ffiSDE : 

The Fedaal tofimnarion Security Management Act (FISMA) requires that the various Federally 
FsKffitated MatEetjdace (FFM) systems - feitetprise and Eligibility (E&l©, PmMKaal 
Mautgaoient (FM), and Plan Management (PM) successfully undergo a Security Qmtrol 
Assessment (SCA). Due to systan leadiness issues, fite SCA was oaiypartly completed. This 
constitat^ a risk that mu^ be acc^ited and mitigated to support the Maric^lace Day 1 
operations. 

BACKGROUND : 

CMS utilkes indqwndait and ^todalized contractofs to testfiie seeurity readines of ite 
srystons. Testing of the Maiketplace has beat oa-going since incqption as part of fite CMS 
Expedited lifc-Cyde process with the latest security testing occuiring in ^teosbwof 2013. As 
with dl new systems which are paiding launch, here are ihberent secmriQ' risks with not having 
all code tested in a single anvironmart, finally, the systan requirai rapid develcpment and 
release of hot-fixes and patches so it is not always available or stable during the duration of 
testing, 

From a security perspective, the aspects of the systan flat wete not tested due to the ongoing 
development, exposed a levd of uncatainty that can be deemed as a hi^ risk fot FFM. 
Although throu^ut the three rounds of SCA testing all of the security controls have been tested 
on diffaait vasions of the system, he security emdractor has not been able to test all of he 
security controls in one complete vasion of he systan. 

Tl» risk a<'Sod"t«i wih issuing an ATO for he FFM will be reduced by inrttiiting a two-part 
mitigation plan. 

First, CMS will implanait he following security processes fer he first year of opaation of 
HPM: 

• Establish a dedicated security team unda- he Chiefte&imationOfficsr (CIO) to 

monitor, track and aisure he mitigation plai activities are om^cted. The CIO and he 
Chief hjfonnation Security Officer (CKO) will rqrort weddy on he progress to he 
Healh Refijrm Opaations Board; 
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P^c 2 - The Administrator 

• Monito* and perform weekly testing of all boido' devices, including intaa^ fodug wd> 
savers; 

• Conduct d^y/weddy scans tsiagtihiCISO’scdateous monitoring tools 

• Conduct a foil SC A W on FPM {B&B, FM and PM) in a s(d>lp enviromuoit whde aU 
security controls can be tested within 60/90 days of going live on October I". 

Second, CMS will migrate focMaiketplace systems to Virtua! Oata Centa (VDC) 
environment in Ql-2014. This oivironmait has been throu^ a foil security assessment and has 
an aufoority to r^oate. 

RECOMMENDATION : 

Issue an A^rority-to-Opeetfe (ATO) for six monfos and inclement foe mitig^a flam The six 
month poiod wfo allow foe Mmkelplace to nmmalixe its development acdvitiOf wUe enabling 
foe security temn to closely monitor activities and perform a complete SCA. 



Marilyn Tay&mr 


Attachment; Fedecaily Facilitated Marketplace Decision Memo Risk Acknowledgmott Sigaatore Page 


L43 



Sisk Ackiumled^iient Si^atore Page 


^keip!a<» (PFM). Tljeiniti^on plan does not reiice &e risk to fite PFM syststo itsSirgoing 
into operstiptt ^ October 1, 2013. Howeva-, il» added protections do reriuce toe ri^ to toe 
ovt*^ Marice^lace opararions and will ensure that the FFM system is comple^y tested wiOun 
toBnextOmcaltos. 







DATE: 

TO: 


w? Mm 

Director, 


Deputy Center Director for Operations, Caitcr for Consumer Information and 
tasurance Oversigjit (CCIIO) 

IROM: Chief Information Officer and 

Director, Office of Information Services (OIS) 

SDBJECT: Auttorization Decision for the Federal Facilitated Marketplace (FFM) System 


The Fed«al Fadlitated Marketplaces (FFM) System is a Moderate level system located at the 
Tenemark Datacenter in Culpepa', Vii^nia. The syston maintains records used to support all 
Healfo Insurance Exchange Programs established by the Cmters for Medicare & Medic^d 
Swvices (Ch®) md«- the health care reform provisitms of the Affordable Care Act (PnWic Law 
11.148), FFM will help qualified individuals and small business employers shop for, select, and 
pay for high-quaUty, affordable health covera^. Exchanges will have the capfoility to 
dettnnine eligibili^ for coverage through the Exchange, for tax oedits and cost-sharing 
redactions, and for Medicaid, Basic Health Plan (BHP) and CMldreti's Health Insurance PiOgiwa 
(CHIP) coverage. As part of the eligibility and enrollment process, financial, demographic, and 
(potentially) health information will flow fiuougi the Exchange. » 

On August 8, 2013, you certified the controls for the system and submitted along with your 
certification the other requited documwtation necessary to obtain an Authorization to Operate 
(ATO)forFFM. 

I have dsdetmined throu^ a diorou^ review of the authorization paclrage that die ri^ to CMS 
information and infontiatioq systems resulting fixim foe operation of foe FFM infotmmion 
system is acceptable predicated on foe completion of the actions described in foe aWactwrwint 
Accordingly, 1 am issuing an Autborization to Operate (ATO) for foe FFM informatiat, 
system to operate in its current environment and configuration until August 31, 2814. The 
currrait configuration includes only foe Federal Facilitated Marketplaces Qn^ifled Healfii Plms 
(QHP) and Dental modules. This system is not aufocnized to establish any new connections or 
iSterte:^ with non-CMS FISMA or other non-CMS connections wifoout prior appoval during 
the period of this ATO. An impact analysis must be conducted fiw any system chariges 
in^lemented after foe issuance of this ATO. Any major modifications that tf«!t foe security 
posture of foe system will require an appropriately scoped security controls assessment md 
i^nance of a new ATO. 
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The security authorization of the informatit^sjwtenwia remain in effect until the indicahrf 
expiration date if the following conditions ate inaintained: 

(i) Required periodic security status reports to- the systan are submitted to this office in 
acccmiance widt cunent CMS poUt^i 

(ii) New vulnerabilifies ratted during fee contiimous monitorii^ process do not result 
in additional agencyrievd risk that is deemed unacceptable; and 

{iii) The sjratem has not exceeded fee maximinn ailowahle time between security 

authorizations in accordance wife Federal or CMS policy. 

TTie attachment provides infoimation rm requirements not mt*, as well as corrective actions 
needed to bring them into compliance. The actions set forth in fee attadhm^ must be entered 
into the approved CMS Plan of Action and Milestones (POA&M) ttaddng tool no later than 
30 days &om the date of this memorandum, and fee action items adfeessed no later than fee 
designated completion dates. Tlris office will monitor all POA&M items submitted during fee 
period of autiurization. 


Tony Trenkle 

Attachment 

cc: 

Marie Oh, Director OIS/CIISG/DHIM 

Darein Lyles. ISSO, OIS/CllSO/DSMDS 

Teresa Fiyw, CISO, Director OIS/EISQ 

Michad Mellor, D^ CISO, Dep. Director OIS/EISG 

Desmond If oung, OIS/EISG/DISPC 

Jessica Hoffinm, OIS/EISG/DISPC 

James Mcasah, OIS/EISG/DISPC 


r^e^j^tions, please contact Teresa Fryw, Chief Mormation Security Ofiioer (CISO), 
IT^WSPC team is also available to support staff level questions at 
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Unknown 


From: 

Sent: 

To: 

Cc: 


Sui^oct: 


Couts,Todd(CMS/OIS) 

Saturday. July 27. 20t3 12:02 PM 


Thompson, Tyrone (CMSS31S): Hotden. Stacey (CMS/OIS): Van. Hung S. «?MS/OtS): Oh, Mark 
U. (CMS/OIS); Chao. Bing (CMS/OIS); Henry. Gatina (CM^OIS); Outerhttdge, Monique 
(CMS/OIS); Grothe, Kirk A. (CMS/OIS) 


Onsite at CGI 


Attachments; Consolidated Tracking of Deployments 


Lynn, 


We would like to have you establish an on-site presence at CGI to be our eyes and ears. Right 
after our phone conversation Friday, Monique walked into my office and was having the same 
thoughts. 


Your role is to be an Independent source of truth from a governance perspective and to tell us what 
is really happening in terms of status/rlsks/progress, defects, artifact creation, etc. Peter Um, 
Hung, and Mark Oh are also spending more time at CGI to oversee the development itself. So, you 
are part of an on-site team. • 


We are assuming that two days per week would be sufficient to have insight while not getting in 
the way of work. 


Please let me know if Tuesday and Thursday would work for you and what you need fnim us to 
make this happen. 


Todd Cauls 

Ontere for Medicare & Medicaid Services 

omt* of Info. Services I Consumer Info. & InsuratKe Systems Group 
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Unknown 

From; Chao. Henry (CMS/0!S) 

Sent: Saturday, July 20. 2013 7:55 AM 

To: Cheryl Campbell: Bikram Bakshl; Chris Drunr^oote; Par Rachakonda > US; Quterbridge, 

(CMS/OIS): Oh. Mark U. (CMS/OIS>. Grothe. Kirk A. (GMS/OIS) 

Gc: Karltor^ Kim; laura Fasching: C^m. Mark (CGf Federal): Lakshmi Manambedu; M FInkel BB, Van, 

Hung B. (CMS/OIS); Donohoe, Paul X. (CMS/OIS); Coute. Todd (CMS/OIS); Htmms, Rhonda D. 
(CMS/OIS): Berkley. Kag^lC^^S); Rich Marlin; Alan Koch; GerakJim €|®wson; rich, 
schwarzkof^; gciawson|||||||H Ari Knausenberger; Radcil^, Glenn D. (CMS/OIS); Joann 

Davis; ’Brian Paget’; Kasl^ManKnwrslon. Robert (CMS/CTR); Urn, Pe^(GMS/CTR); Igor 
Raf^owdi; Riyaz Momln; Timothy Andrews; Mike Oelrich; Allda Anda^on; Stanley Rovs^; 
Margusb. Doug C. (CMS/OIS): DW. Walter (CMS/OIS): Oonick. Walter T. (CMS/OIS); lazenby* 
Daniel (CMS/OIS): Burke. Sheila M. (CMS/OIS); Schmidt, Donna W. (CMS/OIS); Adkfrts. Laura J. 
(CMS/OIS) 

Subject: House Oversight and Government Reform Committee - Evaluating Privacy. Security, and Fraud 

Concerns \Mth C^maCare*s Informatiori Sharing Apparatus 

impoftahce: High 

Below are information and links to the Congressional Hearing Marilyn TaVenner and I attended past Wednesday. 

1 am not sharing this with you because I think it's entertaining and informative. I wanted to share this vrith ^ so you 
can see and hear that both Marilyn and! under oath stated we are going to make October 1st i woirid like you ptri 
yourself in my shoes standing before Congress, which in essence is standing before the American putriic, and know 
that you spe^k the tongue of r>ot necessarily just past truths but the truth that you will make happen, the truth thatte 
apfomi^ to the public ihat millions of people depend on for us to make happen. 

Aside from- the political rhetoric, ranting, etc. my perspective is that On a personal and professional basis I made this 
promise on behalf of ail of us and I have no doubt together we will drive the outcomes that flow hom this promise. 

Everyone in this email is a leader in this endeavor and I thank you for the support and vigilance in malntainir^ this 
promise that! speak of. t ask that you ail take it every bit as serious as t do every minute of each day and in fact I vrill 
depend on it since much of my time going forward will be spent on Capitol Hill. 

Please ^are this up, down, and wide so everyone will know not just what I promised on their behalf, but also to 
kfK^w thatf am a true believer in.pur collective talents and commitment to change the world We live in andirnproye 
the'lives erf real people. 

Thankyou. 

Henry Chao 

Deputy CIO & Deputy Director, 

Office of Information Services 
Ceritets foe Medicare & Medicaid Services 



the included link is 10 a C-SPAN video of the hearing. 
httD://www.e-snanvideo.org/proaran-i/Carelnfor 

Honse Oversight and Government Reform Committee 
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Wednesday July 1 7j2013 | ! 0:00 a m. in 2154 Raybutn House Office Building 

http://oversight.house.gQV/hearing/evaluating-Drivacv-sccuii tv-a nd- &alid-concenis-with-obaniaeares- 
infnrmation-sharing-apparatus/ 

Witnesses 

Tte Honorable Danny Werfel 
Principal Deputy Conunissioner 
Internal Revenue Service 

The Honorable Marilyn B. Tavenner 
Administrator 

Centers for Medicare and Medicaid Services 
U.S. Department of Health and Human Services 

Mr. Henry Chao 

Deputy Chief Information Officer 

Deputy Director of the Office of Information Services 

Centers for Medicare and Medicaid Services 

U.S. Department of Health and Human Services 

Mr. Alan R. Duncan 

Assistant Inspector General for Security and Information Technology Services 
Treasury Inspector General for Tax Administration 
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Unknown 

From: Chao, Henry (CMS/OIS) 

Sent: Tuesday, July 16, 2013 10:0? AM 

To: Outerbridge. Mfonique (CMS/OiS) 

Cc: Murray. Ruarrl S. (CMS/OJS); Grothe. Kirk A (CMS/OIS); Berkley, Katrtta (GMS/OIS). Oh. Mark U 

(CMS/OIS); Van, Hung B. (CMS/OIS); Rhones. Rhonda D. (CMS/OIS) 

Subject: RE: CGI Monthly Meehng Next Week 

Impor^nce: High 

Did you see my other email about first just talking to Rich Martin to convey just how loyv the confidence 
and then pile on top of that the request for more money when we constantly struggle to get a release done, 
vacillating on delivery by due dates, and worse of all poor QA from build of the VMs all the way up to their 
software. They are the Prime and take direction from us so I don't want to hear about Marklogic, TMRKAIRS, or 
anything elase. I just need to feel more confident they are not going to crash the plane at take-off, regardless of 
price. 

Figure out how to get that conversation conducted and message conveyed. 


Henry Chao 

Deputy CIO & Deputy Director. 

Office Of Information Services 

Medicare & Medicaid Services 



FitMiti Outerbridge, Monique (CMS/OIS) 

Sent: Tuesday, July 16, 2013 10:02 AM 

To: Robinson, Carolyn 6. (CMS/OIS); Tfenkle, Tony (CM^OIS); King, Terris (CMS/OIS); Chao, Henry (CMS/OIS); 
GrOfte, Kirk A. (CMS/OIS) 

Cc SWppy, Scott (CMS/OIS); Lewis, Melinda (CMS/OIS); Tierney, Jar^t L, (CMS/OIS); Blondeil, Star (CMS/OIS); 
W^ss, Paul (CMS/OIS) 

subject: RE; COI Monthly Meeting Next Week 

fm going to check with Mary to see if we can reschedule. Henry and ! both will be in DC tomorrow and based on 
how Kirk looks and feels twlay 1 suspect he may not be in tomorrow. 


From: Robinson, Carolyn E. (CMS/OIS) 

Sent; Friday, July 12, 2013 12:11 PM 

To; TrenWe, Tony (CMS/OIS); King, Terris (CMS/OIS); Chao, Henry (CMS/OIS); Grothe, Kirk A. (CMS/OIS) 

Cc; Outerteldge, Monique (CMS/OK); Shippy, Scott (CMS/OIS); Lews, Melinda (CMS/OIS); Tierney, Janet L 
(CMS/OIS); Blondell, Star (CMS/OIS); Weiss, Paul (CMS/OIS) 

Subject: CGI Monthly MeeHng Next Week 

There is a CGI monthly meeting next week. Some information you ail will want to know Is that they need about 
$38 million more to get them through Feb 2014. CIISG is reviewing the proposal, and they will be gettlrvg back, 
to Paul Weiss, by next Thursday. This $38 does not include the approximate $40 million we have in the budget 
for this contract. 

Kirk, you will want to weigh In with any technical points you want to make. 



FPED UPTON. MICHIGAN 
CHAIRMAN 
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HENRY A- WAXMAN, CALfFORNW 
RANKING MEMBER 

ONE HUNDRED THIRTEENTH CONGRESS 

Congresfs ot tfie Mntteii 

House of Hepreseutatibes 

COMMITTEE ON ENERGY AND COMMERCE 
2125 Rayburn H(5use Ofhce Buildino 
Washington, DC 20515-6115 

N»10«}¥ !2e2i2?5,232T 
MimsHy 12021225-5^1 


December 1 1, 2013 


Mr. Henry Chao 

Deputy Chief Information Officer and Deputy Director 

Office of Information Services 

Centers for Medicare and Medicaid Services 

7500 Security Boulevard 

Baltimore, MD 21244 

Dear Mr. Chao: 

Thank you for appearing before the Subcommittee on Oversight and Investigations on Tuesday, 
November 19, 2013, to testify at the hearing entitled “Security of HealthCare.gov.” 

Pursuant to the Rtilcs ofthe Committee on Energy and Commerce, the hearing record remains 
open for ten business days to permit Members to submit additional questions for the record, which are 
attached. The format of your responses to these questions should be as follows: (1) the name ofthe 
Member witose que.stion you are addressing, (2) the complete le.\t ofthe question you are addressing in 
bold, and (3) your answer to that question in plain text. 

Also attached arc Member requests made during the hearing. The format of your responses to 
the.se requests should follow the same fonnai as your responses to the additional questions for the record. 

To facilitate the printing of the hearing record, please respond to these questions and requests by 
the close of business on Tuesday, December 3 1, 2013. Your responses should be mailed to Brittany 
Havens, Legislative Clerk, Committee on Energy and Commerce, 2 1 25 Rayburj^fonse Office Building, 
Washington, D.C. 20515 and e-mailed in Word format to brittany.havenst^^^^^^m 

Thank you again for your time and effort preparing and delivering testimony before the 
Subcommittee. 

Sincerely, 

Tim Murphy ^ 

Chairman 

Subcommittee on Oversight and Investigations 
cc: Diana DeOette, Ranking Member, Subcommittee on Oversight and Investigations 


Attachments 
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Henry Chao’s Hearing 
“HealthCare.gov” 

Energy & Commerce Committee 
Oversight & Investigations Subcommittee 

November 19, 2013 


Attaehment 1 — Additional Questions for the Record 
The Honorable Cory Gardner 

1. Was there any consultation or recommendations from CMS to states on how to develop 
their websites? 

Answer: Section 1311 outlines Federal requirements for Marketplaces. These include the 
minimum functions the Marketplace must undertake as well as the oversight responsibilities the 
Marketplace must exercise in certifying and monitoring the performance of qualified health 
plans. Plans participating in the Marketplace must also comply with state insurance laws and 
Federal requirements in the Public Health Service Act. In defining the authority and duties of a 
Marketplace, stales were required to incorporate, by reference or explicit provisions, the 
Federally-required Marketplace functions and oversight responsibilities as required by 
section 1321 of the Affordable Care Act. 

2. Do you know the extent of the interaction between CMS and Connect for Health 
Colorado? 

Answer: CMS is working with all states to continually improve their systems and business 
processes in accordance with published regulations and guidance. The foundation of the 
seamless consumer experience between state-based Marketplaces and Medicaid and CHIP 
agencies is formed through the development and use of a shared single eligibility system. 

3. To the best of your knowledge, have state websites been tested? If so, are they safe for 
the consumer? 

Answer: Yes, as part of each state’s Blueprint submission, states had to both attest to, and 
submit test files to and receive files from the Data Services Hub. These included IT tests for 
functionality and compliance to established IT requirements. Tests included verification of 
compatible technology, infrastructure, and bandwidth required to support all Marketplace 
activities, as well as verification of a secure connection between the state system and the Data 
Services Hub. Tests were reviewed and confirmed to be effectively implemented by the 
independent verification and validation (IV&V) team through quality management processes and 
test procedures for Marketplace-development activities. Testing included verification of a secure 
connection between the state system and the Data Services Hub. A senior official in each state 
attested to their adherence to, and compliance with, the established security and privacy 
framework. 
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4. Were states able to utilize CMS’ contractors to test their websites? 

Answer: Each state-based Marketplace had its own vendor selection and IT development 
process separate from the contracting and IT development for the Federally-facilitated 
Marketplace. 

5. Is Connect for Health Colorado fully functional? 

Answer: Coloradans interested in what insurance options are available to them can browse 
plans directly through Connect for Health Colorado - Colorado’s State-based Marketplace - If 
Coloradans are seeking financial assistance, they can apply in a coordinated, integrated 
application process that will result in an eligibility determination for any of the three 
affordability programs (advanced payment of the premium tax credits/cost sharing reductions, 
Medicaid or CHIP). 

6. Has end-to-end testing been completed for state-run exchange websites? 

Answer: As noted above, each state was required, as part of its Blueprint submission, to have a 
plan for testing their website, including the site’s functionality. Marketplaces also must have 
capacity to accept and process applications online, compute APTCs, and process QHP selections 
and terminations electronically in coordination with issuers and CMS, among other Marketplace 
functions. 

7. How has the connection between the state exchange and other databases, including 
federal databases, been tested for security and privacy? 

Answer: In keeping with industry practice, CMS established strong security controls and 
standards, which each state was required to meet in order to connect to the Hub. These controls 
and standards are based on the guidelines issued by the National Institutes of Standards and 
Technology (NIST). Each state is required to establish a secure socket layer (SSL) connection 
between the state system and the Data Services Hub, to include FIPS 140-2 compliant encryption 
algorithms. 

8. Are you confident the state sites do not present a risk? 

Answer: States are required to meet the Blueprint requirements, pass functional and security 
testing, and sign a number of agreements attesting to the readiness and security of their IT 
system. Each state that was connected to the Hub on October 1 had either completed an 
authority to connect (ATC), or was granted a short-term ATC. Before an ATC is issued, states 
must sign a Computer Matching Agreement, an Interconnection Security Agreement and an 
Information Exchange Agreement, ail of which bind the state to rules and operating procedures 
related to data security and privacy. Additionally, states are required to complete a security plan, 
a risk assessment, a corrective action plan to address risks, and a self-assessment or a third party 
test for each security control. Every state that was connected on October 1 adhered to these 
procedures. 


I 
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The Honorable G.K. Butterfield 


1. The Hub and Marketplace systems have robust security systems designed to enable 
CMS to remain vigilant against any security threat. 

a. Can you provide some examples of instances which would cause CMS to take a 
closer look at a potential incident? 

Answer: Any unusual activity would cause CMS to examine an incident more closely. 

b. Who would make the determination whether to initiate the Incident Response 
capability? 

Answer: The Incident Response (IR) process is activated every time an internal alert or external 
report of an event is triggered. The IR process includes the early workflow to triage all events 
and to place them into threat categories. Appropriate response processes are established for each 
threat category, 

c. Would law enforcement authorities be notified automatically and in real time if 
the Incident Response capability was activated? 

Answer: If a violation of the law is suspected, the CMS security team notifies the Chief 
Information Security Officer of HHS, who in turn notifies the Office of Inspector 
General (OIG) Computer Crime Unit and also submits a report to the United States Computer 
Emergency Readiness Team (US CERT). Within CMS and HHS, the notification processes to 
these entities are automated to allow for rapid notification and response. 

2. Mr. Chao, you indicated that the Issues that have delayed many of the 137,000 
individuals in my district who arc anxious to sign up for the ACA were due to an 
underestimation of the volume of users and in no way connected with security delays. It 
seems apparent that strong security safeguards arc in place and that once the website is 
up and running our constituents can use it with confidence. 

a. With the Hub up and running as intended, can you explain why eastern North 
Carolinians should feel safe using it and what added efficiency and security 
benefits it provides? 

Answer: The security and protection of personal and financial information is a top priority for 
CMS, which, for decades, has protected the personal information Americans enrolled in 
Medicare, Medicaid, and CHIP. CMS used this experience and our security best practices to 
build a secure Data Services Hub that consumers should feel confident using. 

CMS follows Federal law, government-wide security processes, and standard business practices 
to ensure stringent security and privacy protections, CMS’ security protections are not singular 
in nature; rather the marketplace is protected by a vast array of security layers. First, the system 
was developed with secure code. Second, the system’s infrastructure is physically and logically 


2 



182 


protected by our hosting provider. Third, the system is protected through an internet defense 
shield in order to minimize access to any personal data. Finally, several entities provide direct 
and indirect security monitoring, security testing, and security oversight which include various 
organizational groups in CMS, HHS, US-CERT at the Department of Homeland Security (DHS), 
and the HHS OIG. Each of these groups have varying roles to ensure operational, management, 
and technical controls are implemented and successfully working. The Data Services Hub is 
protected by the high standards demanded of Federal information systems, including the 
standards prescribed by FISMA, NIST, the Privacy Act, and the Office of Management and 
Budget (0MB). 

A large number of connections can cause security vulnerabilities. The Hub allows for one highly 
secured connection between closed databases of trusted states and Federal agencies instead of 
hundreds of connections. A series of business agreements enforce privacy controls between 
CMS and our Federal and state partners. 

b. As the Marketplace interface comes online, can you discuss some of the security 
benefits that site provides to consumers, including the fact that they no longer 
need to provide detailed medical history? 

Answer: HealthCare.gov does not collect personal health information (PHI). PHI is not 
necessary to the single streamlined application process because, due to the guaranteed issue 
provision of the Affordable Care Act, issuers are prohibited from denying applicants insurance 
based on their pre-existing conditions. Therefore, consumers in the Marketplace do not need to 
disclose details of their medical history as they might have had to do when they applied for 
health coverage in the past. Additionally, CMS follows Federal law, government-wide security 
processes, and standard business practices to ensure stringent security and privacy protections for 
the limited personal information provided in the single, streamlined application. 

3. Both the data services Hub and the Federally-facilitated Marketplace eligibility and 
enrollment system build on existing information technology systems. 

a. Can you explain how the Hub and Marketplace systems build on the security 
systems from programs like Medicare Advantage and State Medicaid agencies? 

Answer: The Hub and Marketplace systems have the same stringent security standards that 
CMS has employed to protect other databases and information. CMS developed the Marketplace 
systems consistent with Federal statutes, guidelines and industry standards that ensure the 
security, privacy, and integrity of systems and the data that flows through them. All of CMS’ 
systems of records are subject to the Privacy Act of 1974, the Computer Security Act of 1987, 
and the Federal Information Security Management Act of 2002. These systems must also 
comply with various rules, regulations, and standards promulgated by HHS, OMB, DHS, and 
NIST. 

4. It is clear that many existing laws, rules, regulations, and standards have been met for 
the Hub and Marketplace systems to operate. In other words, keeping sensitive 
information secure at HHS seems to be something your agency does in other areas. 
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a. Your agency has demonstrated before that it is able to effectively safeguard 
sensitive personal information from individuals, is that correct? 

Answer: CMS has worked diligently over many years to protect the sensitive information we 
are tasked with maintaining as part of our services to millions of Americans, CMS operates and 
oversees systems that contain sensitive information about Medicare beneficiaries, physicians 
who participate in Medicare, and Medicare claims. 

b. Can you provide example where HHS has managed an information technology 
system and protected sensitive personal information and compare that system to 
the Hub and Marketplace? 

Answer: The Medicare program utilizes CMS’ information systems to protect sensitive 
information about the Medicare beneficiaries, physicians who participate in Medicare, and 
Medicare claims. While the Hub and Marketplace serve a different population, our commitment 
to protect the private information of consumers, providers, and beneficiaries remains the same. 

The Hub provides one highly secured connection among trusted Federal and state agencies 
instead of requiring each agency to set up what could have amounted to hundreds of 
independently established connections. Further, the Hub is not a database; it does not retain or 
store information. It is a routing tool that can validate applicant information from various trusted 
Government agencies through secure networks. 
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Attachment 2 — Member Requests for the Record 

During the hearing. Members asked you to provide additional information for the record, and 
you indicated that you would provide that information. For your convenience, descriptions of 
the requested information are provided below. 

The Honorable Michael C. Burgess 

1. Do you feel during your time that there has been a single implementation leader that 
you could look to for advice and direction throughout this process? If so, please provide 
their name(s). 

Answer: As Administrator of CMS, Marilyn Tavenner oversees Affordable Care Act 
implementation. 


The Honorable Gregg Harper 

1. Do you have a central reporting location of the navigators that are in violation or 
reported in violation? 

Answer: The Navigator program and grantees are overseen by the Center for Consumer 
Information and Insurance Oversight and by the Office of Acquisition and Grants Management, 
which ensure that all grantees abide by the terms of their funding agreements. 

CMS has several tools to respond to any organizations found in violation of the terms of the 
Federal Navigator program, including issuing a Corrective Action Plan to the grantee, 
decertifying individual Navigators, and terminating the grant. 
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FRED UPTON. MICHIGAN HENRY A. WAXMAN. CAUFOfiNJA 

CHAIRMAN RANKING MEMBER 

ONE HUNDRED THIRTEENTH CONGRESS 

Congress of tlie ®nttei« States 

blouse oi iBepresftntatiDeif 

COMMITTEE ON ENERGY AND COMMERCE 
2125 Rayburn House Ofrce Building 
Washingtwj, DC 20515-6115 

Matority f2a^»Sn2927 
Mlnortty (202)225-3641 


Dec«nber 11,2013 


Mr. Jason Providakes 

Senior Vice President and General Manager 
Center lor Connected Government 
jrfnilE Corporation 
75 15 Colshire Drive 
McUffli,VA 22102-7539 

Nfr. Provldakes: 

Thank you for appearing belbre the Subcommittee on Oversij^t and Investigations on Tiresday, 
November 19, 2013, to testify at the hearing entitled “Security of HeaJthCare.gov ” 

Pursuffltt to the Rules ofthe Committee on Energy and Commerce, the hearing recoittroni^ns 
open fbr ten business days to pennit Members to submit additional questions for die record^ v^Oh are 
The fonnatof your responses to these questions should be as follows: (1) the name ofthe 
Membi^ Vi4iose question you are addressing, (2) the complete text of die question you are addressing in 
bold, and 0) your answer to that question in plain text. 

To facilitate the printing of the hearing record, please respond to these questions by the cIo« of 
businessoh Tuesday, December 3 1 , 20 13. Your respemses should be mailed to Brittany Havens, 
Legislative Clerk, Committee on Energy and Commerce, 2125 Rayburn Building, 

Washington, D.C. 20515 and e-maiicd In Word format to brittany.havens^fl|||||[[||. 

Th^k you again for your time and effort preparing and delivering testimony before the 
Subcommittee. 


Sincerely, 


turn 

Tim Murphy 




Chairman 

Subcommittee on Oversight and Investlj^tions 


cc: Diana DeOette, Ranking Member, Subcommittee on Oversight and Investigations 
Atdichment 
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For the Record: Responses to Additional Questions from The Honorable O.K. Butterfield 
regarding testimony at Energy & Commerce Oversight & Investigations Subcommittee hearing 
Nov. 19, 2013 of: 

Dr. Jason Providakes 
Senior Vice President 
Center for Connected Government 
The MITRE Corporation 

1). Can you elaborate on the successes MITRE had in remediating risks assessed as “high” with 
CMS-designated contractors? 

Dr. Providakes: 

MITRE has no role in the remediation of risks. MITRE does not remediate findings. We 
recommend mitigations. It is the responsibility of CMS and its contractors to correct any risks 
identified during a Security Control Assessment (SCA). MITRE may, at the request of CMS, go 
back and validate that previously identified risks have been remediated. 

Two high risk vulnerabilities were identified as unresolved in the Exchange Consumer Web 
Services (ECWS) Final Security Control Assessment (SCA) Report dated August 23, 2013. 
MITRE was not requested by CMS to validate closure of these risks and therefore MITRE has no 
knowledge of the status of these risks. Those two risks were: 

Inconsistent use of security communication protocols: The use of secure computer 
communications (in the form of encryption standards found in Hyper Text Transport Protocol 
Secure (HTTPS)) to transport data between the user and the ECWS application was found to be 
inconsistent, thereby potentially exposing data in transit. MITRE observed that data traffic was 
sent using an unsecured transport protocol rather than HTTPS encryption. 

Several components were not production ready, and MITRE was therefore unable to test some 
CMS security controls, e.g. Access Control: Several components (e.g., LDAP; Splunk) were not 
production ready, which meant that MITRE was unable to assess the degree to which certain 
CMS mandated security controls had been implemented. These limitations were specifically 
documented in the ECWS SCA Final Report. 

2. ) Can you discuss some of the security progress that MITRE observed through subsequent 
SCAs? 

Dr. Providakes: MITRE has not been involved in any Healthcare.gov SCAs since the 1 1 October 
1 1 , SCA - “Health Insurance exchange (HIX) August-September 20 1 3 SCA Report.” MITRE 
is currently conducting an onsite application-only SCA on the Federal Facilitated Marketplace 
system. The expected completion date is January 9, 2014. 

3. ) Has CMS outlined a timetable to meet additional outstanding risks identified by MITRE in 
SCA reports? 
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Dr. Providakes: MITRE is not aware of any timetable regarding the mitigation of any 
outstanding risks associated with Healthcare.gov. CMS, in conjunction with its contractors, is 
responsible for the development and maintenance of the Plan of Action and Milestone (POAM) 
for remediation of security risks. MITRE has no involvement with POAMs and/or timetables. 
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FRED UPTON, MICHIGAN HENRY A, WAXMAN, CAUFORNI, 

CHAIRMAN RANKING MEMBER 

ONE HUNDRED THIRTEENTH CONGRESS 

Congregg of tfie ^tateg 

l^ouse oC i&eprts^entatibesf 

COMMITTEE ON ENERGY AND COMMERCE 
2125 Rayburn House Office Building 
Washington, DC 20515-^115 

Majortty 1202) 225-ZdZ? 

Minority t2eQS 22S-3641 


December Ii«20l3 


Ms. Ma^ie Bauer 
Senior Vice President 
Services 

C^ative Computing Solutions, Inc. 

.1^1 Research Boulevard, Suite 600 
RockviHe,M0 20850 

Dear Ms. Bauer: 

Hiank you for appearing before the Subccmimittee on Oversi^t and Investigations on Tii^day, 
Novemb^ 19,2013, to testify at the hearing entitled “Security of HealthCare.gov.” 

Pursuant to the Rules of the Committee on Energy and Commerce, the hearing record r^ains 
open R>r ten business days to permit Members to sulunit ^ditionai questions for the record, ate 
attached. The fonnat of your responses to these questions should be as follows: (I) the name ofthe 
Member whose question you are addre^ing, (2) ^e complete text ofthe question you are addressing in 
bold, and (3) your answer to that question in plain text. 

Also attached are Member requests made during the hearing. The format of your responses to 
diese requests should follow the same format as your responses to the additional questions for the record. 

To Ricilitate the printing of the hearing record, please respond to these questions and requests 
the close of business on Tuesday, December 31, 2013. Your responses should be mailed to BritteE^ 
Havens, Legislative Clerk, Committee on Energy and Commerce, 2125 RaybunUlwse Office Building, 
Wa^ington, D.C. 20515 and e-maited in Word format to lM’ittany.bavens(^||||||||||H^ 

Thank you again for your time and cfTmt pre|»ring and delivering testimony before the 
Subcommittee. 


Sincerely, 

Tim Murphy V 

Chairman 

Subcommittee on Oversight and Investigations 
cc: Diana DcGette, Ranking Member, Subcommittee on Oversight and Investigations 


Attachments 
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Michael Gill 
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December 23, 2013 


The Honorable Tim Murphy 
Chairman 

Hoiec Committee on Energy and Commerce 
Subcommittee on Oversight and Investigations 
2125 Rayburn House Office Building 
Washington, D.C. 20515-6115 

Re: Response to Questions for the Record from Creative Computing Solutions, Inc. 
Dear Mr. Chairman: 

On behalf of our client, Creative Computing Solutions, Inc. (“CCSi”), we are pleased to 
provide the attached responses to the Subcommittee’s Questions for the Record letter. 

m 

h^hael Gill 
Counsel for CCSi 

cc: The Honorable Diana DeGette, Ranking Minority Member 


Crowell & Moring LIP ■ www.croweU.com > Washinglon, DC ■ New Yorit ■ San Fnndsco • Los Angeles • Orange Coitn^ ■ Anchorage . London . Brussels 
26142637 
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Attachment 1 — Additional Questions for the Record 


The Honorable G.K. Butterfield 

It is clear that CMS has a robust framework to respond to malicious activity that CCSi adheres 
to. 

a. Ms. Bauer, does CCSi use both automated and manual approaches to search for 
malicious behavior? 

Answer: Yes. 

b. Can you provide an example of an anomaly that might prompt CCSi to respond? 

Answer: A foreign (non U.S.) IP address attempting to connect to 
healthcare.gov. 

c. Would CCSi implement the CMS approved Incident Response Plan (IRP) if any 
anomaly related to sensitive information was detected? 

Answer: Yes. 

d. At what point might law enforcement be involved under the IRP? 

Answer: CMS would make any decisions to involve law enforcement. 


Error! UnknowB documeot property name. 
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Attachment 2-Member Requests for the Record 

During the hearing, Members asked you to provide additional information for the record, 
and you indicated that you would provide that information. For your convenience, 
descriptions of the requested information are provided below. 


The Honorable Tim Murphy 

a. During the hearing, we asked Mr. Amsier if he had all of the tools and capabilities 
to successfully and fully monitor the system, he said that "there are some things 
that we have asked for that are not in place as of yet." You said you agreed with 
his statement. Please elaborate on why you agree with that statement and how it 
applies to CCSi. 

Answer; Today’s cyber security environment involves constantly evolving 
threats and equally evolving tools, technologies and techniques to address them. 
CCSi’s objective is to recommend and implement the most robust security 
approaches for our clients. Those recommendations will evolve and change 
over time to reflect the current threat environment. Over the course of its 
contracts, CCSi normally requests additional capabilities to service the client 
and address the current threat environment. To this end, CCSi along with its 
subcontractor, compiled a list of additional, potential security measures for CMS 
to consider. 


Error! Unknowa document proper^ name. 



192 

fRED UPTON, MICHSOAN HENRY A. WAXMAN, CALSTORNIA 

CHAIRMAN RANKING MEMBER 

om HUNDRED THMrreeNTH CONGRESS 

CongresJg of tl^t finite States 

j|ouse of JSEprfStiitatiOeS 

COMMITTEE ON ENERGY AND COMMERCE 
2125 Rayburn House OfFKE SuiLDiNC 
Washington, DC 2051&-6115 

t202!?T6“a:^ 

Njficlly 12021325-^1 


December 1 1, 2013 

Mr, David Amsler 
President and CIO 
Foreground Security Inc. 

801 International Parkway 
5th Floor 

Lake Mary, FL .32746 
Dear Mr. Amsler; 

Thank you for appearing before the Subcommittee on Oversight and Investigations on Tuesday, 
November 19, 2013, to testify at the hearing entitled “Security of HealthCare.gov.” 

Pursuant to the Rules of the Committee on linergy and Commerce, the hearing record remains 
open for ten business days to permit Members to submit additional questions for the record, which are 
attached. The format of your responses to these questions should be as fallows; (1) the name of the 
Member whose question you are addressing, (2) the complete text of the question you are addressing in 
bold, and (3) your answer to that question in plain text. 

Also attached are Member requests made during the hearing. The format of your responses to 
these requests should follow the same format as your responses to the additional questions for the record. 

To facilitate the printing ofthe hearing record, please respond to these questions and requests by 
tlie close of business on Tuesday, December 31,2013. Your responses should be mailed to Brittany 
Havens, Legislative Clerk, Committee on Energy and Commerce, 2125 Raybun^touse Office Building, 
Washington, D C. 205 1 5 and e-mailcd in Word format to briUany.havcns|mi^HB| 

Thank you again for your time and effort preparing and delivering testimony before the 
Subcommittee. 


Sincerely, 



Chainnan 


Subcommittee on Oversight and investigations 


cc; Diana DcGetle, Ranking Member, Subcommittee on Oversight and Investigations 


Attachments 



David Amsler 
President and CIO 
Security and Healthcare.gov 
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Attachment 1- Additional Questions for the Record 

The Honorable G.K. Butterfield 

1. It is encouraging to know that numerous highly trained security personnel are 
continuously monitoring the new virtual data center created for the ACA 
a. Mr. Amsler, does Foreground Security use both automated and manual 
approaches to search for malicious behavior? 


Foreground Security uses a variety of tools to examine network, server, and 
application activity for matches to known malicious behavior and/or 
deviations from "normal" user behavior. Through these pattern matching and 
anomaly detection functions, these tools provide an automated mechanism 
for identifying malicious behaviors. 

Our human analysts review the logs and alerts generated by these tools to 
differentiate between normal activity that may have triggered an alert and 
truly malicious behavior. The team also analyzes raw data generated by the 
heaithcare.gov systems and networks to identify malicious behavior the tools 
may not be capable of detecting. This is a key function, as sophisticated 
attackers will often change their tactics to avoid automated detection. 


b. If malicious activity is detected, what responsibilities does Foreground 
Security have to report that activity and who do you report it to? 

If malicious activity is detected, our procedures dictate that we gather all 
relevant details including systems affected, functions and data within those 
systems that may have been exposed, the nature of the activity in question, 
users and external systems involved, timeline of events, and other 
information that helps determine the scope of the incident. 

Our team then opens an internal CMS incident case, populates it with those 
key details, and escalates to the Federal IT Security Manager on duty. 
Depending on the criticality of the incident, that escalation occurs in as little 
as 30 minutes and may also include the Director for Marketplace Security, 
the CMS Chief Information Security Officer (CISO), and other CMS and HHS 
executive leadership. 
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c. At what point might law enforcement become involved after malicious 
activity has been noticed? 

Our incident reporting chain includes the HHS Office of the Inspector General 
(OIG), which provides criminal investigative functions and acts as an 
interface to other Law Enforcement agencies in cases where an incident is 
determined to include unlawful activities. That determination is made by the 
OIG in conjunction with the FBI and other Law Enforcement agencies with 
whom the OIG liaises. 
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Attachment 2- Member Requests for the Record 

During the hearing. Members asked you to provide additional information for the 
record, and you indicated that you would provide that information. For your 
convenience, descriptions of the requested information are provided below 

The Honorable Tiro Murphv 

During the hearing, when asked if you have all of the tools and capabilities to 
successfully and fully monitor the system you said that "there are some things that 
we have asked for that are not in place as of yet." Please elaborate on what you 
meant when you said that. 

1. Foreground and our partner CCSi maintain a complete list of current capabilities, 
required tools/capabilities that aren’t in place or functioning, and future 
roadmap items that are requested. That report is provided to the government 
(COTR and COR) on a monthly basis and 1 believe examples of that report were 
turned over to the committee during our extensive document collection effort 
that included every email, report, or all other documents related to this contract 


o 



